Emotet is an advanced, modular banking trojan that primarily functions as a downloader or dropper of other malware. It’s disseminated through malicious email links or attachments that use branding familiar to the recipient. Emotet focuses on stealing user data and banking credentials, and opportunistically deploys itself to victims. Emotet is polymorphic, meaning it often evades typical signature-based detection, making it more challenging to detect. Emotet is also virtual machine aware and can generate false indicators if run in a virtual environment, further frustrating defenders. Emotet has been active and evolving since 2014.
An eventful year
In the latter half of 2020 we observed Emotet detections transition from execution via an executable on disk to a dynamically linked library (DLL) executed via
rundll32. This is an evolution we have seen other malware, like Qbot, adopt in 2020 as well, as it gives the operator flexibility and additional defense evasion opportunities. We also observed Emotet adopt techniques to break the parent-child relationship in process telemetry. This is likely an effort to evade detection analytics designed to alert on unusual child processes. These processes often spawn from common phishing lures, often incorporating Microsoft Office products.
Emotet had multiple dormant periods throughout the year, which is consistent with previous patterns of going dark for several months at a time. The malware started 2020 strong as we observed a significant number of detections in January, but it gradually decreased until we observed no Emotet detections in June. Emotet returned with significant detection volume in July—a pattern others noticed as well—and based on our visibility, remained consistent through October before another quiet month in November.
It’s unclear why Emotet went dormant for part of 2020; potential explanations include possible retooling and transitioning to new affiliations to drop follow-on payloads. It’s also important to note that the patterns we observe don’t present a complete picture of what’s happening in the wild. For example, the lack of Emotet activity we observed in November could be due to an increase in it being caught by perimeter defenses and not making it to the endpoints we monitor.
In addition to changes in Emotet’s activity level throughout the year, we also observed patterns in the follow-on malware families it dropped. Throughout 2020, Emotet continued the years-long pattern of dropping TrickBot as follow-on malware, which sometimes led to Ryuk ransomware. Notably, after Emotet returned in July, it also began delivering Qbot in some campaigns—but didn’t abandon delivering TrickBot entirely. In mid-October, CrowdStrike reported that they observed Emotet resuming delivery of TrickBot in a likely attempt to replenish the adversaries’ victim base following disruption by industry and law enforcement.
On January 27, 2021, Europol announced a major international takedown effort of the Emotet botnet. Only time will tell if we see a reorganization and resurgence of Emotet, or if the criminals behind the operation will pivot to a different toolkit or business model. Until then, we can still learn from previous Emotet behaviors and implement detection analytics to help address it as well as other threats. Should Emotet return, its ties to ransomware make rapid response to infections a high priority. If organizations are able to detect and respond to the early stages of an infection chain, whether it uses Emotet or another family, the chances of receiving follow-on ransomware decrease significantly.