Emotet is the name of both a cybercrime group and a malware loader it distributes. The group is also known as MUMMY SPIDER, while the malware is also known as Geodo or Heodo. According to CISA, Emotet is among the most costly and destructive malware used against the private and public sectors, with individual incidents costing up to $1 million to remediate. According to Europol, Emotet is the world’s most dangerous malware.
The malware is disseminated through malicious emails that typically have a financial theme, such as receipts and invoices, or follow current events, such as tax season scams and donation requests for refugees. Infection happens when a victim opens a document attached to the email that contains malicious macros that, in turn, execute the malware downloader. After download, Emotet persists on the infected machine, communicates with a C2 server to receive instructions and attempts to spread on the local network.
Emotet started in 2014 as a banking trojan used to steal credentials, but it has evolved through several mutations and additional DLL modules to become a botnet capable of delivering other malware, such as TrickBot or IcedID, and ransomware, such as Ryuk. This capability is so important that Emotet is often considered “infrastructure as a service” for initial access and malware distribution.
The botnet was taken down by police action in January 2021, but the threat actor rebuilt its infrastructure and returned in November 2021. Emotet started adding more bots around January, and the number has been increasing steadily. At its previous peak before the police action, Emotet infected millions of devices. Since its resurgence, there are now approximately 130,000 bots, which can propagate the malware by spamming targets, be used for lateral movement in targeted organizations or be promoted to proxy C2 servers. The number of Emotet infections tripled in March 2022 over the previous month.
Forescout recommends that organizations use the following steps to mitigate risks:
- Enforce anti-phishing training to avoid the initial infection via malspam
- Disable macro execution whenever possible
- Monitor the use of regsvr32 processes on endpoints as detailed in the technical report
- Deploy the IoCs shared in the technical report in network detection and threat hunting tools
For more information and technical analysis, read the full report.