From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Emotet is a malware strain and a cybercrime operation based in Russia.[1] The malware, also known as Geodo and Mealybug, was first detected in 2014[2] and remains active, deemed one of the most prevalent threats of 2019.[3]

First versions of the Emotet malware functioned as a banking trojan aimed at stealing banking credentials from infected hosts. Throughout 2016 and 2017, Emotet operators updated the trojan and reconfigured it to work primarily as a "loader," a type of malware that gains access to a system, and then allows its operators to download additional payloads.[4] Second-stage payloads can be any type of executable code, from Emotet's own modules to malware developed by other cybercrime gangs.

Initial infection of target systems often proceeds through a macro virus in an email attachment. The infected email is a legitimate-appearing reply to an earlier message that was sent by the victim.[5]

It has been widely documented that the Emotet authors have used the malware to create a botnet of infected computers to which they sell access in an Infrastructure-as-a-Service (IaaS) model, referred in the cybersecurity community as MaaS (Malware-as-a-Service), Cybercrime-as-a-Service (CaaS), or Crimeware.[6] Emotet is known for renting access to infected computers to ransomware operations, such as the Ryuk gang.[7]

As of September 2019, the Emotet operation continues to be active, running on top of three separate botnets called Epoch 1, Epoch 2, and Epoch 3.[8]

In July 2020, Emotet campaigns were detected globally, infecting its victims with TrickBot and Qbot, which are used to steal banking credentials and spread inside networks. Some of the malspam campaigns contained malicious document file with names dubbed "form.doc" or "invoice.doc". According to security researchers, the malicious document launches a PowerShell script to pull the Emotet payload from malicious websites and infected machines. [9]

In November 2020, Emotet uses parked domains to distribute payloads. [10]

Noteworthy infections[edit]


  1. ^ Javier, John (August 28, 2020). "Emotet: Why did the 'most wanted' malware go on a 5-month hiatus?". The Hindu. Retrieved October 12, 2020.
  2. ^ "Emotet's Malpedia entry". Malpedia. January 3, 2020.
  3. ^ Ilascu, Ionut (December 24, 2019). "Emotet Reigns in Sandbox's Top Malware Threats of 2019". Bleeping Computer.
  4. ^ Christiaan Beek. "Emotet Downloader Trojan Returns in Force". McAfee.
  5. ^ a b Schmidt, Jürgen (June 6, 2019). "Trojaner-Befall: Emotet bei Heise" (in German). Heise Online. Retrieved November 10, 2019.
  6. ^ Brandt, Andrew (December 2, 2019). "Emotet's Central Position in the Malware Ecosystem". Sophos. Retrieved September 19, 2019.
  7. ^ "North Korean APT(?) and recent Ryuk Ransomware attacks". Kryptos Logic.
  8. ^ Cimpanu, Catalin (September 16, 2019). "Emotet, today's most dangerous botnet, comes back to life". ZDnet. Retrieved September 19, 2019.
  9. ^ "July 2020's Most Wanted Malware: Emotet Strikes Again After Five-Month Absence".
  10. ^ Emotet malware operators now using parked domains
  11. ^ "Malware infection poised to cost $1 million to Allentown, Pa". washingtontimes.com. The Washington Times. Retrieved November 12, 2019.
  12. ^ "Emotet malware gang is mass-harvesting millions of emails in mysterious campaign". zdnet.com. ZDNet. Retrieved November 12, 2019.
  13. ^ "Emotet: Trojaner-Angriff auf Berliner Kammergericht". spiegel.de (in German). Der Spiegel. Retrieved November 12, 2019.
  14. ^ "Emotet: Wie ein Trojaner das höchste Gericht Berlins lahmlegte". faz.net (in German). Frankfurter Allgemeine Zeitung. Retrieved November 12, 2019.
  15. ^ "Trojaner greift Netzwerk von Humboldt-Universität an". dpa (in German). Heise Online. November 9, 2019. Retrieved November 10, 2019.
  16. ^ "Trojaner-Befall: Uni Gießen nutzt Desinfec't für Aufräumarbeiten" (in German). Heise Online. December 19, 2019. Retrieved December 22, 2019.
  17. ^ https://www.journaldemontreal.com/2020/09/12/les-pirates-informatiques-ont-pu-voler-tous-les-courriels