Emotet Malware: How Does it Work and How Can it be Stopped?

What is Emotet?

Emotet, once described as the “world’s most dangerous malware”, was first discovered as a banking Trojan in 2014 and over the years has evolved into the go-to solution for cybercriminals. What made Emotet so dangerous? It was offered for hire to other cybercriminals to install additional types of malware, such as banking Trojans or ransomware, onto a victim’s computer.

The infection occurs via a macro-enabled document file, spreading through spam emails (malspam). Emotet utilizes social engineering tricks to look legitimate and lure the victim into downloading the malicious Office file and enabling macros.

Emotet was originally designed as a banking malware that attempted to steal sensitive and private information from the victim’s computer. Later versions of the software saw the addition of spamming and malware delivery services—including other banking Trojans.

Emotet attempts to avoid detection by using a password-protected VBA project and obfuscated macros. It also uses C2 servers to receive updates. This works in the same way as the operating system updates to a PC and can happen seamlessly and without the user noticing. This allows the attackers to install updated versions of the software, install additional malware, or steal information such as user credentials and email addresses.

Considered the world’s largest malware botnet, Emotet was taken down by global law enforcement in early 2021. Unfortunately, cyber attackers don’t rest on their laurels and it was back starting November 2021.

The video below demonstrates examples of a recent Emotet attack detected and stopped by Datto SaaS Defense: