What is emotet?

Emotet, one of the worst security threats ever created, originated in 2014 as malware that intercepted internet traffic and harvested sensitive personal data. Its ability to steal credentials via browser caches made it ideal for harvesting banking information. 

In January 2021, authorities took down the botnet group behind emotet. For a while, the world seemed free of the nuisance. But the malware resurfaced in the middle of 2022.

What once started as a malware focused on stealing banking information has since evolved into something much more versatile.

Despite its age, emotet remains a persistent threat year after year. So rather than cross your fingers and hope it will go away, you're better off learning a bit about emotet: What to look for and how to avoid it.

How does emotet work?

The emotet malware primarily spreads via email phishing campaigns.

Originally, threat actors used Microsoft Office file attachments to infect victims' computers. The file would prompt recipients to enable macros, which would give the malware access to the user's device.

Threat actors recently started including Zip files as attachments. These Zip files include a shortcut file that will execute a PowerShell script to download malware from random websites hosting emotet. The threat actors are sometimes able to host the malicious code undetected on legitimate sites they've compromised.

By removing one step (and no longer requiring users to enable macros), the threat actors have greatly increased their success rate.

After emotet has infected a computer, it will continue to attempt to spread to new devices via:

  • Phishing emails sent to contacts of the infected user.

  • Known software vulnerabilities.

  • Brute force password attacks on user accounts.

Why is emotet so difficult to stop?

Emotet is not a malware written in static code. It can update itself to avoid detection. (This trait is known as being polymorphic.)

Traditional antivirus programs are signature-based, meaning they rely on recognizing malicious code to stop threats. But emotet can change itself from one computer to the next, so traditional antivirus programs can't be updated quickly enough to keep up.

Next-generation antivirus, behavior-based endpoint protection, is much more effective in stopping emotet than traditional antivirus, signature-based endpoint protection.

Also, emotet may indefinitely lie dormant before exhibiting any suspicious activity. And because emotet can be used for a variety of malicious purposes, it can be difficult to know what exactly to look out for.

What is the goal of emotet?

These days, emotet is considered malware as a service (or botnet as a service).
Emotet is primarily a "loader," focused on spreading to as many devices as possible, waiting to be used in a second stage attack, which may include:

  • Remote attacks.

  • DDoS attacks.

  • Cryptojacking.

  • Ransomware.

When a botnet group has infected enough computers, they may sell that botnet to another party. The holder of the botnet is effectively renting access to infected devices to use for their bidding. This practice shines some light on the economy of certain black hat operations.

How to protect yourself from emotet

Threats like emotet illustrate the need for layers of defense. No one tool can eliminate the risk of such malware.

Some of the best tools against emotet include: