FANDOM


Trojanemotetblock

Trojan:Win32/Emotet or Emotet is a Trojan that affects the Microsoft Windows operating system. It is one of today's most active threats, and besides helping crooks collect banking credentials and steal money from bank accounts using surreptitious MitB (Man-in-the-Browser) attacks, the trojan is also used to collect credentials for social media accounts, or even drop other malware on infected hosts — a.k.a. working as a malware downloader.

Overtime, Emotet keeps on evolving.

It can appear as different names, which include: (according to Microsoft)

  • 2014_05_rechnungonline_8290155236_sign_deutsche_telekom_ag.exe
  • 2014_06informationen_zum_transaktions_pdf.zip
  • 2014_06rechnung_0020273640_sign_telekom_deutschland_gmbh.exe
  • 2014_06rechnung_0724300002_pdf_sign_telekomag_deutschland_gmbh.exe
  • 2014_06rechnungonline_pdf_vodafone_00930220374_53790190_82456.exe
  • informationen_zum_transaktions_2014_06_10_02092083044_volksbank.exe
  • Rechnung_23_14_06_198630274520031_telekom_deutschland_GmbH.exe
  • Rechnung_2314_06_198630274520031.exe

It injects a DLL file into the explorer.exe file, which intercepts network traffic. It then creates a copy of itself in the %APPDATA% folder, among different random names. The copy is then added to startup, adding a registry value to HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run with the name of the file created during installation. 

Payload

Transmission

Emotet mostly spreads through attachments in spam mail, but can also be spread through malicious links in .PDF files. It is one of its significant strengths. When the Emotet botnet came back to life again, it was using a malicious Word document template that asked you to "Accept the license agreement" by clicking on the "Enable Content" button. Doing so, would enable macros embedded in the document that would then install the Emotet Trojan on the recipient's computer.

It also one time a fake invitation to a neighborhood Halloween party. While the time and text of the different emails are slightly different, the general idea is that the user is being invited to a Halloween party using the following text:

Dear Neighbors and Friends,

It is Halloween and time for TREAT OR TRICK.

Please join us for a casual dinner party on Halloween night, Oct.31, 2019 starting at 6:00pm. Come and say hello to your neighbors and enjoy some food and drinks.

We are looking forward to a fun day and kindly respond with an email to make sure we have enough TREAT for you.

Details in the attachment.

The top email subjects being used in this campaign are:

Party invitation
Halloween party invitation
Happy Halloween
Party tonight
Halloween party
Halloween Party
Halloween
Halloween invitation

Each of these emails contain a word document that pretends to be the Halloween party invite. According to Cofense, the most commonly used attachment names are:

Halloween party invitation.doc
Halloween party.doc
Happy Halloween.doc
Halloween.doc
Halloween invitation.doc
Halloween Party.doc
Party tonight.doc
Party invitation.doc

If a user opens the attachment they will be greeted with the standard "Enable Content" button that when clicked will install the Emotet Trojan on the computer.

Infection

The virus installs a DLL file which intercepts traffic from numerous browsers, and targets many bank institutions/portals, including GE Capital, PostBank, Finducia and others. It then sends collected data to a remote server, which is set up by the hacker.  

Emotet can also install other malware related to itself, some being PWS:Win32/Emotet.E, Spammer:Win32/Emotet and TrojanDownloader:Win32/Emotet.

Sources

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Emotet

Community content is available under CC-BY-SA unless otherwise noted.