Trojan:Win32/Emotet or Emotet is a Trojan that affects the Microsoft Windows operating system. It is one of today's most active threats, and besides helping crooks collect banking credentials and steal money from bank accounts using surreptitious MitB (Man-in-the-Browser) attacks, the trojan is also used to collect credentials for social media accounts, or even drop other malware on infected hosts — a.k.a. working as a malware downloader.
Overtime, Emotet keeps on evolving.
It can appear as different names, which include: (according to Microsoft)
It injects a DLL file into the explorer.exe file, which intercepts network traffic. It then creates a copy of itself in the %APPDATA% folder, among different random names. The copy is then added to startup, adding a registry value to HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run with the name of the file created during installation.
Emotet mostly spreads through attachments in spam mail, but can also be spread through malicious links in .PDF files. It is one of its significant strengths. When the Emotet botnet came back to life again, it was using a malicious Word document template that asked you to "Accept the license agreement" by clicking on the "Enable Content" button. Doing so, would enable macros embedded in the document that would then install the Emotet Trojan on the recipient's computer.
It also one time a fake invitation to a neighborhood Halloween party. While the time and text of the different emails are slightly different, the general idea is that the user is being invited to a Halloween party using the following text:
Dear Neighbors and Friends, It is Halloween and time for TREAT OR TRICK. Please join us for a casual dinner party on Halloween night, Oct.31, 2019 starting at 6:00pm. Come and say hello to your neighbors and enjoy some food and drinks. We are looking forward to a fun day and kindly respond with an email to make sure we have enough TREAT for you. Details in the attachment.
The top email subjects being used in this campaign are:
Party invitation Halloween party invitation Happy Halloween Party tonight Halloween party Halloween Party Halloween Halloween invitation
Each of these emails contain a word document that pretends to be the Halloween party invite. According to Cofense, the most commonly used attachment names are:
Halloween party invitation.doc Halloween party.doc Happy Halloween.doc Halloween.doc Halloween invitation.doc Halloween Party.doc Party tonight.doc Party invitation.doc
If a user opens the attachment they will be greeted with the standard "Enable Content" button that when clicked will install the Emotet Trojan on the computer.
The virus installs a DLL file which intercepts traffic from numerous browsers, and targets many bank institutions/portals, including GE Capital, PostBank, Finducia and others. It then sends collected data to a remote server, which is set up by the hacker.
Emotet can also install other malware related to itself, some being PWS:Win32/Emotet.E, Spammer:Win32/Emotet and TrojanDownloader:Win32/Emotet.