SOCRadar® Cyber Intelligence Inc. | Loader Malware Emotet is Now Led by Quantum and BlackCat


Sep 14, 2022
5 Mins Read

Loader Malware Emotet is Now Led by Quantum and BlackCat

Emotet (also known as SpmTools) is a sophisticated, modular banking trojan. Emotetmostly serves as a downloader or dropper of other banking trojans. It is a loader-as-a-service (LaaS). It is mainly distributed by spam emails (malspam).

Malicious scripts, document files with built-in macros, or malicious links can all spread the infection. Emotet has become a prominent, intrusive malware loader due to changes throughout time, mainly as a result of its capacity to carry out a complete infection cycle and smoothly spread other types of malware.

BlackCat and Quantum Use Emotet as Initial Attack Vector

AdvIntel recorded 1,267,598total Emotet infections globally in 2022. Further data from the research shows that Emotet infections peaked at the beginning of the Russian/Ukrainian crisis, with groups like Quantum and BlackCat starting to use the malware after Conti. The malware’s most targeted country is the U.S., with an approximately 36% rate.

Emotet infection rates in countries
Emotet infection rates in countries (Source: AdvIntel)

Emotet was once a tool mainly used by Conti affiliates. It has also been used by many threat actors and groups in various cyberattacks. Now, Quantum and BlackCat are the ones who lead the Emotet infection chain.

Emotet’s botnet attack flow utilizes Cobalt Strike to launch ransomware. In other words, threat actors presently use Emotet primarily as a dropper or downloader for a Cobalt Strike beacon, which distributes a payload enabling threat actors to hijack networks and carry out ransomware operations.

TTPs & IoCs