Emotet is a sophisticated, self propagating Trojan . While Emotet began as a banking trojan, its modular design has allowed it to evolve into a distributor for other types of malware. Emotet is frequently spread through phishing spam emails containing malicious attachments or links.

Emotet is a popular malware distributor because of its sophisticated persistence and evasion techniques. Its spam-based propagation also makes it easy for threat actors to distribute it.

What is Emotet?

Emotet was one of the leading malware threats until January 2021 when an international task force took the malware down. At its peak, Emotet infected 1.5 million computers around the world and caused an estimated US$2.5 billion in damages before it was brought offline.

The January 2021 takedown only created a ten-month lull in operations until November 2021 when Emotet returned. It took advantage of the scope of the Trickbot botnet to have existing Trickbot infections download a new and improved version of Emotet.

Among the improvements to Emotet are stronger cryptography, improved control flows, and new infection mechanisms. Emotet now also delivers Cobalt Strike beacons, which are commonly used in targeted ransomware attacks.

How Does It Spread?

Emotet primarily spreads via spam emails. A system infected with Emotet will send out spam emails containing malicious links or documents designed to infect computers with the malware. Once infected, these machines may download other types of malware – such as the Trickbot, QBot, and Dridex malware – and will work to continue propagating the malware.

In the case of Emotet’s rise from the dead, the malware reversed its normal operations, mostly downloading itself to machines infected by Trickbot instead of the other way around. This provided the malware with a large initial footprint from which to start sending spam emails designed to spread the malware. 

According to Check Point Research, Emotet rapidly reached 50% of its pre-takedown activity after its resurrection and has continued to grow into 2022.

Target Industries

Since Emotet is a self-propagating malware that spreads via spam and phishing emails, it is not commonly used in targeted attacks. Often, Emotet creates a foothold on a particular system or network, and malware downloaded later may use this initial access to perform targeted attacks (such as ransomware infections). Emotet’s “spray and pray” distribution method means that it can target any industry, but the malware is occasionally used to target particular industries (such as government systems). 

Emotet’s resurrection via the Trickbot botnet has also had an impact on its overall distribution across industries. Trickbot commonly targets high-profile industries with government/military, finance/banking, manufacturing, healthcare, insurance/legal, and transportation making up over half of its victims since November 2020. With Emotet downloaded and installed to machines infected by Trickbot, the Emotet malware started out with a similar distribution and has since branched out from there.

How to Protect Against Emotet

Emotet is designed to spread via spam and phishing emails. These emails are sent from compromised machines and e-mail accounts and use malicious links and infected attachments to trick people into installing the malware on their systems.

This focus on phishing for distribution means that organizations can protect themselves against Emotet infections via the following steps:

  • Deploy Email Security Solutions: Emotet’s email focus means that email security solutions are a critical component of an Emotet prevention strategy. These solutions should be able to identify and block malicious links and use content disarm and reconstruction (CDR) to strip malicious functionality from documents before allowing sanitized content to reach the recipient’s inbox.
  • Train Employees: Emotet’s distribution patterns rely heavily upon tricking recipients into clicking on a malicious link or opening an attachment on a spam email. Training employees to recognize and properly respond to phishing emails is essential to blocking the spread of Emotet. Emotet’s “spray and pray” tactics mean that multiple employees may be hit by the same campaign, making reporting critical to rapid incident detection and response.
  • Endpoint Security: Emotet is a sophisticated malware variant with advanced persistence and evasion techniques. This makes advanced endpoint security solutions vital to detecting and eradicating Emotet infections that slip through the cracks and infect a corporate endpoint.
  • Network Monitoring: Emotet is used to deliver additional malware samples to an infected device via command and control communications. Network monitoring can help to identify these downloads, allowing an organization to track down an infected endpoint.

Emotet Detection and Protection with Check Point

Since its reemergence, Emotet has quickly risen to once again be one of the most dangerous and prolific malware variants in operation. Its sophistication and improved design mean that Emotet infections can enable various attacks and incur significant costs and damages for an organization.

To learn more about the Emotet threat, check out Check Point’s 2022 Cyber Security Report. Then, learn more about protecting your organization against Emotet by signing up for a free demo of Check Point Harmony Endpoint. And be sure to check out Check Point's Harmony Email & Collaboration as well.