Emotet Malware Rears Its Ugly Head Again

A resurgence in Emotet malware may make it one of the most pervasive security threats of 2020.

Brien Posey

February 21, 2020

4 Min Read
Emotet Malware Rears Its Ugly Head Again
Getty Images

When it comes to IT security, there is a natural tendency to focus on next-generation threats. But while awareness of newly discovered threats and vulnerabilities is essential, it is also important not to lose sight of long-established threats. Such is the case with Emotet malware.

As malware goes, Emotet has a surprisingly long history. Emotet malware first gained traction in 2014 as a Trojan that was designed to steal online banking information. Over time, Emotet evolved both in the way that it is delivered and in how it behaves.

Today, Emotet malware infections are primarily spread through malicious email messages propagated by botnets. These emails may claim to contain a payment invoice, a receipt for a recently purchased product, a shipping update or practically anything else that might entice an unsuspecting victim into opening an infected attachment. Upon infecting a device, Emotet malware typically downloads and installs additional malware. It is also commonly used to infect computers with ransomware.

At one time, it seemed as though Emotet was about to go extinct. However, Emotet has recently seen a resurgence--one big enough that it is reasonable to expect that Emotet will be one of the most pervasive security threats of 2020.

Emotet went dark from May 2019 until September of that same year, and was idle for all but the last two weeks of the third quarter of 2019. Even though Emotet was only active for two weeks out of the entire quarter, it accounted for 11% of all of the malicious payloads detected during that quarter.

To put this another way, the third quarter of 2019 was approximately 13 weeks in length. This means that Emotet was active for only 15.4% of the quarter, but produced 11% of the total malicious payloads. If this attack had spanned the entire quarter, it could have conceivably accounted for more than 70% of the malicious payloads detected during that time.

Clearly, organizations must take Emotet seriously.

In spite of its age, Emotet remains a serious threat. This, of course, raises the question of why malware that originated in 2014 has not yet been eradicated. After all, an antivirus application should have no trouble detecting a piece of malware that has been in mainstream circulation for six years.

There are a few reasons why Emotet malware is still rearing its ugly head. The biggest is that the Emotet trojan that is circulating today is not the same trojan that was being circulated in 2014. There have been several different iterations of Emotet, and it is therefore possible that signature-based detection tools can’t recognize the latest variants.

Another reason why Emotet continues to be a problem in 2020 is that the current version is specifically designed to defeat the heuristic detection methods used by many anti-malware tools. Some of the more popular anti-malware applications will allow suspicious files to run inside of a sandboxed environment to see if the files exhibit malware-like characteristics. At least some flavors of Emotet malware are designed to remain dormant if they detect that they are running inside a virtual machine or a sandbox.

At the same time, Emotet malware is not solely dependent on email as an infection vector. While it is true that Emotet uses infected messages as a point of entry into an organization, it also tries to spread to other connected systems. In doing so, it attempts to learn the credentials of connected systems using either a dictionary-based or a brute-force password attack.

Unfortunately, there is no one single action that an organization can take to ensure that it is  100% protected against Emotet attacks. That being the case, the best course of action is to practice defense in depth by implementing layered defenses against Emotet malware. These defenses may include blocking potentially malicious email attachments (and scanning all others), keeping all systems up to date with the latest security patches and adopting a least privilege access security model. The United States Cybersecurity and Infrastructure Security Agency (CISA) offers additional recommendations for keeping Emotet malware attacks at bay. 

About the Author(s)

Brien Posey

Brien Posey is a bestselling technology author, a speaker, and a 20X Microsoft MVP. In addition to his ongoing work in IT, Posey has spent the last several years training as a commercial astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space.


Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like