What is Emotet, How Does It Work And How Can You Keep Your Organization Secure?

Emotet is a notorious banking trojan that first appeared in 2014, when it was identified by threat analysts. Since then it’s become a hugely successful piece of malware, described by the Department of Homeland Security as “among the most costly and destructive malware” affecting organizations.   

In 2021, Emotet has suddenly appeared again all over cybersecurity news sites and forums. After years of investigations and a collaborative effort between Germany, US, Netherlands, France, United Kingdom, Lithuania, Canada, and Ukraine authorities, coordinated by Europol and Eurojust, Emotet’s infrastructure has been taken down.  

This is likely to have lasting and significant consequences for the cybersecurity indsutry. In this article, we’ll take a look at what Emotet is, and how you can ensure your organization is protected from sophisticated malware threats.

So, What Is Emotet?

Emotet is a Trojan (a type of malicious software that is disguised as something harmless) that is mainly spread via spam emails. In a typical Emotet attack, a malicious server will send out dangerous emails in bulk to as many users as possible, maximizing the number of targets.

The emails use a form of social engineering to attempt to trick users into opening an email attachment, or clicking a URL. This can include using familiar branding, such as disguising the email as a message from Microsoft or Google, or using emotive language, like “Click here to view your salary increase.” These emails can be highly effective, especially when attacks leverage current events. When a user opens the malicious attachment or clicks on the harmful URL, the Emotet trojan will begin being downloaded to the victim’s device.

Check Point’s Lotem Finkelstein told BBC News that this was something Emotet did particularly well, saying that:  “It constantly adjusted its phishing emails to victims’ interests and global events – for example, the Covid-19 pandemic or major shopping seasons such as Black Friday.”

Since the release of Emotet in 2014, the malware has gone through a few iterations. The first version of the malware used a JavaScript file, and then it evolved into using macro-enabled documents to remotely download the virus from a command and control (C&C) center run by the malicious actors.

The latest version of Emotet had obfuscation techniques built into its code to prevent the detection and subsequent analysis. One of the main techniques malware researchers use to analyze and dissect code is to run that code in a sandbox environment.

Running the code in a sandbox environment enables the code to be executed safely, with no possibility of spreading onto connected networks, and to control the speed of execution to analyze each step in the execution of the code. Emotet had measures to detect that it was being run in a virtual environment (a sandbox) and to lay dormant, making it much harder for cybersecurity solutions to block files and URLs containing the Emotet virus.

Who Was Affected?

No one was safe. Emotet impacted governments, companies, individuals worldwide harvesting banking details, personal data, login information and cryptocurrency wallets. The later version of Emotet was used to deliver other trojans increasing the potential target list. Emotet began by targeting organization in Germany, then with the new trojans spread to organizations in the United Kingdom and the United States.

It’s taken the combined efforts of police from the UK, EU, US and Canada to take down the botnet, in one of the most significant global operations seen yet to disrupt the booming market of devastating malware applications that is affecting businesses around the world.

What’s Next?

Now that Emotets infrastructure is gone and the world is safe again, what is next? Sadly, the world of email security still isn’t safe, and it’s still important that every organization has a strong email security solution in place. Over the next few months, a demand vacuum will appear.

The demand for malware and botnets won’t decrease, and so another product or service is likely to appear out of that demand. Within a demand vacuum, you typically see an expedited development process, so within the year, new spam malware will be on the dark market with new technologies that can bypass spam filters.

How Can An Organization Protect Itself?

There are two main methods organization can use to protect themselves from spamware and trojans sent through emails. The first is a robust email security gateway solution that can detect impersonation attempts and halt the phishing attacks at your organization’s parameter. As Emotet, and possibly its successor, heavily leveraged credential harvesting for impersonation attacks, it is crucial that the email security solutions organizations choose have specific impersonation protections.

The second way organizations can proactively protect their system is to train their employees to identify phishing email and social engineering attacks. Cybersecurity awareness training solutions have come a long way since sitting and watching one hour of a monotonous talker can be tailored to employees’ or organizations’ needs.

To make it easier for organizations to research and compare the right cybersecurity solutions to prevent advanced malware attacks like Emotet, Expert Insights has put together a guide to the top 11 Secure Email Gateway Solutions and the top 10 Security Awareness Training Platforms.

About Expert Insights  

Expert Insights helps organizations around the world find the right cybersecurity services with helpful guides, expert advice and tailored solutions. Read technical articles, detailed cybersecurity buyers’ guides, insights from industry experts and much more at expertinsights.com. Make the right cybersecurity decisions with confidence.