The Emotet Trojan

The Emotet Trojan is one of the most dangerous malware in cybersecurity history. Individuals, companies, or even global authorities, anyone could be potential victims.

Emotet tricks basic antiviruses into hiding from them. Once systems are infected, the malware spreads like a worm trying to infiltrate other computers on the network.

Emotet mainly spreads through spam emails. The email contains a malicious link or an infected document.

By downloading the document or opening the link, other malware is automatically downloaded to your computer.

The emails were created to look very authentic and many people fell victim to Emotet.


What is Emotet?

Emotet is malware originally developed in the form of a banking trojan. The goal was to access foreign devices and spy on sensitive private data.

Emotet was first detected in 2014 when customers of German and Austrian banks were hit by the Trojan. Emotet had gained access to customer login data. In the following years, the virus spread globally.

Emotet has evolved from a banking Trojan to a dropper, which is a Trojan that loads malware onto devices. The latter are therefore responsible for the actual damage to the system.

In most cases, the dropper attack involved the following programs:

  • Trickster (also known as TrickLoader and TrickBot): a banking Trojan that attempts to access the login details of bank accounts;
  • Ryuk: An encryption Trojan, also known as a crypto trojan or ransomware, which encrypts data and thus prevents the computer user from accessing that data or the entire system.

The goal of cybercriminals who target using Emotet is often to extort money from their victims. For example, they threaten to publish or release encrypted data to which they have gained access.


What are the objectives of Emotet?

Emotet targets individuals, companies, organizations, and authorities.

In 2018, after being infected with Emotet, the Fuerstenfeldbruck hospital in Germany had to shut down 450 computers and log out of the rescue control center to control the infection.

In September 2019 the Berlin Court of Appeal was hit, while in December 2019 it was the turn of the University of Giessen.

The Medical University of Hanover and the city administration of Frankfurt am Main were also victims of Emotet.

These are just a few examples of infections caused by Emotet, but the undisclosed number of companies affected is estimated to be much higher.

It is also assumed that many infected companies did not report the breach for fear of damaging their reputation.

It is also important to remember that, while Emotet initially targeted mainly companies and organizations, today the Trojan primarily affects individuals.


How does it spread?

Emotet is mainly distributed via the so-called Outlook library. The trojan reads emails from already infected users and creates deceptively real content.

These emails appear legitimate and personal, thus distinguishing themselves from regular spam emails. Emotet sends these phishing emails to archived contacts such as friends, family, and co-workers.

Most of the time, the emails contain an infected Word document that the recipient needs to download or a dangerous link. The correct name is always displayed as the sender.

This is how the recipients think the message is safe – the email looks completely legitimate. Recipients then (in most cases) click on the dangerous link or download the infected attachment.

Once you gain access to a network, Emotet can spread. It then tries to crack the passwords of the accounts using the “brute force” method.

Other ways Emotet spread include the EternalBlue exploit and the DoublePulsar vulnerability in Windows, which allowed malware to be installed without user intervention.

In 2017, the WannaCry extortion trojan was able to exploit the EternalBlue exploit for a significant cyberattack that caused devastating damage.


How dangerous is Emotet?

The US Department of Homeland Security (DHS) has come to the conclusion that Emotet is a particularly expensive software with enormous destructive power.

The cost of cleaning is estimated at approximately one million US dollars per accident. For this reason, Arne Schoenbohm, head of the German Federal Office for Cybersecurity (BSI), called Emotet the “king of malware”.

Emotet is undoubtedly one of the most complex and dangerous malware in history. The virus is polymorphic, meaning its code changes slightly each time it is accessed. This makes it difficult for the virus to be identified by anti-virus software, many of which perform signature-based searches.

In 2020, researchers found that Emotet also attacks Wi-Fi networks. If an infected device is connected to a wireless network, Emotet scans all nearby wireless networks. Using a password list, the virus then attempts to gain access to networks and thus infect other devices.


How to protect yourself

Here are some tips to protect yourself from Emotet:

  • Keep yourself regularly informed of developments relating to the malware.
  • It is essential to install updates provided by manufacturers as quickly as possible to fill possible security gaps. This applies to operating systems such as Windows and macOS, as well as to all application programs, browsers, browser add-ons, email clients, Office, and PDF management programs.
  • Be sure to install a comprehensive virus and malware protection program and regularly scan your computer for vulnerabilities.
  • Do not download dubious attachments from emails and do not click on suspicious links. If you are asked to allow a macro to run on a downloaded file, do not do so under any circumstances, but delete the file immediately.
  • Back up your data regularly to an external storage device.
  • Use only strong passwords for all login accounts (online banking, email accounts, online shops).
  • Configure your computer to display file extensions by default. You will then be able to spot ambiguous files such as “Photo123.jpg.exe”, which tend to be malicious programs.


How is Emotet removed?

First of all, do not panic as you suspect your PC may be infected. Inform your acquaintances of the infection, because the people in your email contacts are potentially at risk.

Therefore, be sure to isolate the computer if it is connected to a network to reduce the risk of spreading Emotet. Next, change all login details for all of your accounts (email account, web browser, etc.). Do this on a separate device that is neither infected nor connected to the same network.

Since Emotet is polymorphic (meaning its code changes slightly each time it is accessed), a clean computer can be quickly re-infected if an infected network is connected.

It is, therefore, necessary to clean up all computers connected to the network, one after the other. To do this, use an anti-virus program. Alternatively, you can also contact a specialist, such as your anti-virus software vendor, for guidance and assistance.