Emotet Botnet is a banking trojan malware program which obtains financial information by injecting computer code into the networking stack of an infected Microsoft Windows computer, allowing sensitive data to be stolen via transmission.

Emotet has gone through a few iterations. Early versions arrived as a malicious JavaScript file. Later versions evolved to use macro-enabled documents to retrieve the virus payload from command and control (C&C) servers run by the attackers.

Emotet uses a number of tricks to try and prevent detection and analysis. Emotet is polymorphic, which means it can change itself every time it is downloaded to evade signature-based detection. Moreover, Emotet knows if it’s running inside a virtual machine (VM) and will lay dormant if it detects a sandbox environment.

Emotet also uses C&C servers to receive updates. This works in the same way as the operating system updates on your PC and can happen seamlessly and without any outward signs. This allows the attackers to install updated versions of the software, install additional malware such as other banking Trojans, or to act as a dumping ground for stolen information such as financial credentials, usernames and passwords, and email addresses.

How does Emotet spread

The primary distribution method for Emotet is through mal-spam. Emotet ransacks your contacts list and sends itself to your friends, family, coworkers, and clients. Since these emails are coming from your hijacked email account, the emails look less like spam and the recipients, feeling safe, are more inclined to click bad URLs and download infected files.

If a connected network is present, Emotet spreads using a list of common passwords, guessing its way onto other connected systems in a brute-force ­attack. If the password to the all-important human resources server is simply “password” then it’s likely Emotet will find its way there.

Researchers initially thought Emotet also spread using the EternalBlue/DoublePulsar vulnerabilities, which were responsible for the WannaCry and NotPetya attacks. We know now that this isn’t the case. What led researchers to this conclusion was the fact that TrickBot, a Trojan often spread by Emotet, makes use of the EternalBlue exploit to spread itself across a given network. It was TrickBot, not Emotet, taking advantage of the EternalBlue/DoublePulsar vulnerabilities.

How can protect from Emotet

The first step towards protecting yourself and your users from Emotet by learning how Emotet works. Here are a few additional steps you can take:

  • Keep your computer/endpoints up-to-date with the latest patches for Microsoft Windows. TrickBot is often delivered as a secondary Emotet payload, and we know TrickBot relies on the Windows EternalBluevulnerability to do its dirty work, so patch that vulnerability before the cybercriminals can take advantage of it.
  • Don’t download suspicious attachments or click a shady-looking link. Emotet can’t get that initial foothold on your system or network if you avoid those suspect emails. Take the time to educate your users on how to spot malicious spam.
  • Educate yourself and your users on creating a strong password. While you’re at it, start using two-factor authentication.
  • You can protect yourself and your users from Emotet with a robust cybersecurity program that includes multi-layered protection. Malwarebytes business and premium consumer products detect and block Emotet in real-time.

How can remove Emotet

If you suspect you’ve already been infected by Emotet, don’t freak out. If your computer is connected to a network—isolate it immediately. Once isolated, proceed to patch and clean the infected system. But you’re not done yet. Because of the way Emotet spreads across your network, a clean computer can be re-infected when plugged back into an infected network. Clean each computer on your network one-by-one. It’s a tedious process, but Malwarebytes business solutions can make it easier, isolating and remediating infected endpoints and offering proactive protection against future Emotet infections.