The World Wide Web laid the foundation for the development of many pleasant things that we take for granted today and that could no longer do without a large part of the population. Whether it is mail traffic, online banking, WLAN, streaming services or home office. But it is also the foundation of a rapidly growing development of Malware and its spread.
Hundreds of thousands of new malware signatures are registered every day, both completely new and well-known mutations. Very few have a catchy name, often as a memorial to the damage they have caused.
Emotet started out as a pretty standard banking Trojan in 2014 and was little different from many other Trojans. Via Phishingmails as a contaminated link or as a malicious attachment, Emotet nested in the host system and waited to access bank data. That was his modus operandi until around 2016.
Emotet - The Development
With 2017 Emotet surprised with a new shape. The “distribution channel” had remained more or less the same, but now Emotet operated primarily as a “dropper”. Droppers are used to reload other malware, like cargo ships.
The Emotet developers had equipped it with additional modules and capabilities and now “rented” it to other criminals for their malware and targets (e.g. ransomware, keyloggers, bots, crypto miners, etc.).
Emotet formed the basis of around 60% of all phishing attacks in 2019 and has developed from a simple banking Trojan into the “weapons platform” for cyber criminals.
The new capabilities of Emotet included, among other things, the independent expansion in the network, through the use of an “Eternalblueexploit” module, or the Bruteforcing from user accounts in Active Directory in order to settle in other computers or to spread further via email.
Emotet’s greatest ability, however, is its ability to polymorph in order to outsmart popular signature-based anti-virus solutions. Emotet is able to change its code independently so that on the one hand it retains its functions, but on the other hand acts too differently to be recognized.
It’s like the police are chasing a shapeshifter with mug shots. In addition, there are modules that attempt to detect active scans or virtual environments in order to switch Emotet inactive during this time.
Emotet has made remarkable progress from 2014 to the present day. And may be called a showcase example, perhaps also the avant-garde of future malware. A prominent example of this is probably the ThiefQuest malware, which has been further developed with a similar amount of effort since it became known in June 2020. And Emotet has not yet reached its end and started a new wave of distribution at the beginning of July 2020.