What is emotet?
Emotet, one of the worst security threats ever created, originated in 2014 as malware that intercepted internet traffic and harvested sensitive personal data. Its ability to steal credentials via browser caches made it ideal for harvesting banking information.
In January 2021, authorities took down the botnet group behind emotet. For a while, the world was free of the nuisance. But the malware resurfaced in the middle of 2022.
What once started as a malware focused on stealing banking information has since evolved into something much more versatile.
Despite its age, emotet remains a persistent threat year after year. So rather than cross your fingers and hope goes away, you're better off learning a bit about emotet: What to look for and how to avoid it.
How does emotet work?
The emotet malware primarily spreads via email phishing campaigns.
Originally, threat actors used Microsoft Office file attachments to infect victims' computers. The file would prompt recipients to enable macros, which gave the malware access to the user's device.
Threat actors recently started including Zip files as attachments. These Zip files include a shortcut file that executes a PowerShell script to download malware from random websites hosting emotet. Some threat actors are able to host the malicious code undetected on legitimate sites they've compromised.
By removing one step (and no longer requiring users to enable macros), the threat actors have greatly increased their success rate.
After emotet has infected a computer, it will continue to attempt to spread to new devices via:
Phishing emails sent to contacts of the infected user.
Known software vulnerabilities.
Brute force password attacks on user accounts.
Why is emotet so difficult to stop?
Emotet is not a malware written in static code. It updates itself to avoid detection. (This trait is known as being polymorphic.)
Traditional antivirus programs are signature-based, meaning they rely on recognizing malicious code to stop threats. But emotet changes itself from one computer to the next, so traditional antivirus programs can't be updated quickly enough to keep up.
Next-generation antivirus, behavior-based endpoint protection, is much more effective in stopping emotet than traditional antivirus, signature-based endpoint protection.
Also, emotet may lie dormant before exhibiting any suspicious activity. And because emotet is used for a variety of malicious purposes, it can be difficult to know what exactly to look out for.
What is the goal of emotet?
These days, emotet is considered malware as a service (or botnet as a service).
Emotet is primarily a "loader," focused on spreading to as many devices as possible, waiting to be used in a second stage attack, which may include:
When a botnet group has infected enough computers, they may sell that botnet to another party. The holder of the botnet is effectively renting access to infected devices to use for their bidding. This practice shines some light on the economy of certain black hat operations.
How to protect yourself from emotet
Threats like emotet illustrate the need for layers of defense. No one tool can eliminate the risk of such threatware.
Some of the best tools against emotet include: