Playbook

Malware Threat: Emotet

Description

Emotet was first discovered in 2014 as a "simple" banking Trojan aimed at stealing financial data. Simple is in quotes because, over time, it has not only evolved into a botnet but also added modularity, such as the ability to deliver malware using worm-like capabilities. This is why the US Department of Homeland Security has identified it as "among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors."

Emotet is still highly active, and its daily activity is noted not only by the organizations affected by this pervasive threat, but by researchers and first responders worldwide trying to understand the latest additions and attack methodologies the Emotet authors have added to their war chest. This latest playbook focuses on a specific Emotet attack campaign that FortiGuard Labs has observed. While this playbook is not meant to be an exhaustive analysis of Emotet, as that would be impossible due to time constraints, it does serve as a small glimpse into an otherwise impressive campaign of criminal behavior.

This latest variant of Emotet is spread via automated social engineering techniques, primarily through email. As previously reported by several vendors, Emotet hijacks and inserts malicious email into legitimate email threads to appear more trustworthy to the recipient. It is not unheard of for email threads to suddenly change topics and Emotet utilizes that human penchant for going on tangents to change the subject to something else, perhaps an update to an outstanding invoice.

For more information on the TTPs used by Emotet, read the blog listed in the appendix and go to our Playbook Viewer and select Emotet from the menu.