According to Arne Schoenbohm, who leads the German Federal Office of Information Security (BSI), EMOTET is the king of malware. EMOTET actively attacks many devices in every industry, including small-large businesses, individuals, non-profit organizations, governments, and schools. Regarding that, each attack, on average, costs around 1M$. If malware had a council, this infamous malware would be the Caesar.
What is EMOTET?

EMOTET was first detected and described as a banking trojan in 2014. However, it constantly evolved and became much more destructive after each upgrade. This upgradeable, modular design is the primary reason it is that dangerous.
Since it uses C&C servers, EMOTET can be upgraded without any visual signs after settling a device, just like any operating system in our daily lives. However, through its upgrades, EMOTET does not just patch itself. It also loads other malware to the device confidentially.
With many tricks up its sleeve, EMOTET became a MaaS (Malware as a Service) portal for cyberattackers eventually. To exemplify this situation, EMOTET can be described as an experienced thief who breaks into your house, copies your keys, steals your valuable information secretly, and then sells all this information and security breaches (copied house key in this analogy) to other less skilled but dangerous thieves.
How Does it Spread?
Spamming the Mails

Spamming mail (malspam) is the most common way to spread this insidious Trojan virus EMOTET. Its spam emails include macro-enabled document files or links.
Clicking on these spam emails allows the attackers to sneak into the victim’s system. Although it is a quite common and known virus spread method, it can still take over many users because these mails seem reliable to the mail recipient.
It can also spread with malspam by disguising themselves is to have interesting and reliable headlines by acting as well-known brands, companies, or organizations.
Common Passwords
With a connected network, EMOTET spreads and infects the systems by using the common password lists. It tries to guess its way onto other linked systems in a brute-force assault*.
*Brute-force assault: A brute-force assault in cryptography entails an attacker submitting many passwords or passphrases to guess them accurately.
Degradation of EMOTET
In late January 2021, Europol reported that the “EMOTET” virus and botnet had been disabled because of international cooperation between eight law enforcement agencies. It resulted in law enforcement and judicial authorities gaining control of the infrastructure and bringing it down from the inside in the last week of January 2021.
A security researcher operating under the handle “milkream” determined that EMOTET was deploying a new module onto compromised devices on January 27, 2021, the same day as Europol’s press announcement. Victims’ infected computers were forwarded to this law enforcement-controlled infrastructure. This is a revolutionary and unique way to disrupt the actions of cybercrime facilitators efficiently.
What Should You Do If You Have Been Infected??

You must clean your system when you realize or suspect that the EMOTET has infected your device. Before that, you should inform people on your mail list to protect them from EMOTET. Then, you should check the network system since it may spread through.
As a next step, you should change your passwords and login details for all your accounts to prevent spreading. The key point is here; you should not use the same device since it is already infected. In other words, you should use a different device that is not connected to the same infected network.
After these steps, you can move on to cleaning the infected part. The important thing here is that you can get the virus again when you connect, so you must be sure all parts and each device connected to the same network are immaculate. You can either use an antivirus program or a specialist in this area for this step.
How Can SOCRadar Help Protect Yourself from EMOTET and Other Malware?

SOCRadar’s Threat Intelligence Feed module helps cybersecurity teams investigate threats with its easy-to-use design and in-depth data. IP addresses can be blacklisted due to malware spread or being part of a botnet. You can proactively improve your security posture by using SOCRadar’s Extended Threat Intelligence approach and Botnet & Malware feed.
References
- https://www.malwarebytes.com/emotet
- https://www.kaspersky.com/resource-center/threats/emotet
- https://www.darkreading.com/edge-articles/emotet-101-how-the-ransomware-works—-and-why-it-sso-darn-effective
- https://www.fbi.gov/news/stories/emotet-malware-disrupted-020121
- https://www.cisa.gov/uscert/ncas/alerts/TA18-201A7
- https://www.europol.europa.eu/media-press/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action
Discover SOCRadar® Free Edition
With SOCRadar® Free Edition, you’ll be able to:
- Discover your unknown hacker-exposed assets
- Check if your IP addresses tagged as malicious
- Monitor your domain name on hacked websites and phishing databases
- Get notified when a critical zero-day vulnerability is disclosed
Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets. Get free access