Threat Intelligence

    Emotet-as-a-Service: A Serious New Cyber Threat

    Highly sophisticated cyber criminals are hosting Emotet services, letting far less competent attackers distribute their malware with this powerful tool.

    by Samuel Greengard

    Key Points

    • Malware-as-a-service (MaaS) has emerged as a highly efficient way to distribute malicious payloads.
    • A wide variety of cyber crooks are able to launch increasingly sophisticated and well-coordinated attacks, across all industries, via Emotet-as-a-service.
    • Emotet-as-a-service can deliver many different types of malware, including ransomware.

    It’s no secret that cybersecurity is a constant game of one-upmanship. Every time a new or better defense is discovered, cybercriminals find new ways to circumvent the protections. The latest risk in this arms race is Emotet-as-a-service. It’s a subscription-based MaaS framework hosted by sophisticated cyber criminals; it makes Emotet attack methods available to less talented cyber criminals who wouldn’t otherwise have the skills and capabilities to make use of Emotet.

    That means a whole lot of formerly less dangerous cyber criminals are now able to more effectively attack your enterprise with malware, spyware and ransomware. So, no surprise: Mimecast’s Threat Intelligence Report: RSA Conference Edition reported a 145% increase in attack campaigns globally from October to December last year. During that period, Mimecast’s Threat Center analyzed more than 202 billion emails and rejected 92 billion.

    What is Emotet and How Does it Work?

    Emotet, which also goes by the names Geodo and Mealybug, was first detected in 2014.[1] It started out as a trojan designed to steal banking credentials from infected host systems. It is now a common and significant threat across industries and is frequently used by organized cybercrime gangs.

    The economic fallout from an Emotet incident can cost companies millions. The trojan is typically distributed by email. When a recipient clicks a link or an attachment, the malware delivers a malicious script, macro or other code that unleashes a worm. The system then typically downloads additional executable code that’s designed for a specific task, such as installing ransomware.

    Modular Design Increases Emotet-as-a-Service Danger

    A reason Emotet is so dangerous is that it serves as a “dropper” for other malware. Its modular design—along with the fact that it comes in several versions—makes it more difficult to identify and block. Cybercrooks use file compression and typically send malware payloads via DOC, DOCX and EXE formats, often residing within ZIP files. Thus, the actual file names are hidden within the container, as we explained in this prior post. They use language and attachments that seem realistic, such as “your invoice” or “payment details,” sometimes from what appears to be a legitimate shipper.

    Emotet is effective at avoiding detection because, among other things, it knows when it is running inside a virtual machine (VM). When this occurs, it lays dormant inside a sandbox, so that it isn’t detected by malware scanners. It also uses command and control (C&C) servers to receive updates surreptitiously. This makes it possible for attackers to install updated versions of the malware code, along with other trojans. It can also create a “virtual” repository for stolen information, including usernames, passwords, bank account numbers, credit card data and email addresses.

    Cybercrooks typically use spam emails as a way to distribute Emotet. The multi-function software mines contact information from Microsoft Outlook and other programs and then generates emails to people in the address book, including family, friends and business associates.[2] Because the emails appear to originate from a friendly source, people are more apt to click on them. Emotet can also guess at passwords and crack weak ones. A detailed look at attack techniques can be viewed at a Department of Homeland Security site.[3]

    The kinds of malware and ransomware Emotet services can deliver are increasingly expensive propositions. It’s not unusual for cyberthieves to demand tens of thousands of dollars through Bitcoin or another cybercurrency in order to “free” data they’ve captured and encrypted. A now-renowned ransomware attack on the City of Baltimore crippled IT systems for months and resulted in an estimated $18 million recovery cost.[4]

    How to Inoculate Your Enterprise Against Emotet

    There are several steps that can reduce the risk of Emotet-based ransomware attacks:

    • Block unsecured devices on your network. This includes Internet of Things (IoT) devices that may not be directly visible. Ensure that you have secured all unmanaged devices, typically through a mobile device management (MDM) solution.
    • Block risky email attachments. This includes attachments that can’t be scanned by antivirus software.
    • Don’t be lulled into a false sense of security. Even if Emotet resides only in an unsecured machine or sandbox of a VM, it presents risks. The polymorphic nature of the malware means that it can find ways to propagate and spread.
    • Provide awareness training. According to a 2017 Ponemon Institute study, 90% of breaches are caused by human error.[5] It’s critical to educate users about identifying suspicious emails and links and opening ZIP, DOC, DOCX and executable files.
    • Use threat intelligence software. These solutions identify and block access to fake and malicious links and URLs, malware and impersonation attacks, and internal threats.
    • Require strong authentication. Emotet can guess weak passwords. Strong authentication, including the use of multi-factor authentication, can slow or stop the malware from spreading across systems.
    • Patch consistently. In some cases, updates for software applications include tools or protections for blocking Emotet.

    If Emotet infects your network, it’s vital to scan for it and re-scan for it. Even if you clean an infected computer—including one you have isolated—the malware can reappear. While the process of checking each and every computer can be tedious and frustrating, it’s essential to isolate infected devices and remediate infected endpoints.

    The Bottom Line

    Emotet-as-a-Service has changed the face of cybersecurity. The “dropper” capability has introduced a new wave of malware—including ransomware—on an enormous scale. Emotet’s subscription-based Malware-as-a-Service model brings the option of simple attack methods to a wider audience of cyber criminals while simultaneously keeping older, well-known malware in circulation. However, with a targeted strategy and the right tools, it’s possible to thwart Emotet and keep your enterprise protected.


    [1]Emotet,” Wikipedia

    [2]The evolution of the infamous Emotet Banking Trojan,” Cyware Social

    [3]Alert (TA18-201A,” CISA, Department of Homeland Security.

    [4]Baltimore ransomware attack will cost the city over $18 million,” Engadget

    [5] 2017 Cost of Data Breach Study,” Ponemon Institute

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Haut de la page