Skip to content
Naked Security Naked Security

Emotet malware: “The report of my death was an exaggeration”

"Old malware rarely dies." The best way to predict the future is to look at the past... if it worked before, it will probably work again.

You’ve probably seem the breathless media headlines everwhere: “Emotet’s back!”

One cybersecurity article we saw – and we knew what it was about right away – didn’t even give a name, announcing simply, “Guess who’s back?”

As you almost certainly know, and may sadly have experienced first hand, Emotet is a blanket term that typically refers both to a family of “command-and-control” malware and the gang who are its commanders-and-controllers.

The idea is simple: instead of building a single-purpose malware program for each attack, and unleashing it on its own, why not spearhead the attack with a general purpose malware agent that calls home to report its arrival, and awaits further instructions?

In popular terminology, that sort of malware is often referred to as a zombie or bot, short for software robot, and a collection of bots with the same command-and-control servers (known as C&C or C2 servers in the jargon), under the same botmasters, is known as a botnet.

Emotet, however, was not just a bot – to many sysadmins and threat responders, it was the bot, run by a notoriously resilient and determined criminal gang who operated their botnet as a disturbingly effective content delivery network for cybercrime.

An attack chain of attack chains

A common Emotet attack chain typically ran in mutiple stages, something like this:

  1. Emotet first, to form a beachhead inside your network;
  2. Followed by Trickbot or some other network-snooping malware to learn, plunder, hack, tweak, reconfigure and manipulate your computer estate until the crooks behind the stealing and surveillance had learned as much as they felt they needed to know (or made as much money as they thought they could, or both);
  3. Followed by a final, apocalyptic, flaming-skulls-on-your-wallpaper-type blast of ransomware and an associated, possibly breathtakingly expensive, blackmail demand.

As we wrote in February 2021:

The [Emotet crew] typically use the zombies under their control as a sort of content delivery network for other cybercriminals, offering what amounts to a pay-to-play service for malware distribution.

The Emotet gang does the tricky work of building booby-trapped documents or web links, picking enticing email themes based on hot topics of the day, and tricking victims into infecting themselves…

…and then sells on access to infected computers to other cybercriminals so that those crooks don’t have to do any of the initial legwork themselves.

That quote, notably, comes from an article entitled Emotet take”down – Europol attacks “world’s most dangerous malware”

https://nakedsecurity.sophos.com/2021/02/01/emotet-takedown-europol-attacks-worlds-most-dangerous-malware/

All quiet on the Emotet front

Since then, the Emotet ecosystem, if we may use that word to describe it, has been essentially off the radar, silent, and invisible.

But as we mentioned in February 2021, the same gang went quiet in February 2020, only to reappear suddenly in July of that year.

And, according to current reports, something similar has happened again, with researchers around the world noting a return of “Emotet-like” activity, and announcing, as Mark Twain famously did after reading in the newspapers that he had passed away, that the report of its death was an exaggeration.

What to do?

We’ve always been happy to report on malware takedowns, cybercrime busts and other disruptions that have removed or reduced cybercriminality, but we’ve also always advised against relaxing too much when that sort of report appears.

Here’s our advice, whether this Emotet “revival” is the same criminals who’ve returned from takedown to active duty or new recruits; whether it’s the old malware code or a re-written variant; whether the new botnet has the same goals or yet more aggressive ones:

  • Old malware rarely actually dies. Sometimes, as happened with floppy disk boot sector viruses, malware families get killed off by technological changes. But the truth is that once a technique is out there, and is known to work, even modestly well, someone new is likely to copy it, re-use it, or revive it. So we live with the sum of the threats of the past as well as all the genuinely new tools, techniques and procedures that come along.
  • Don’t focus on individual malware families or malware types when planning your protection. Emotet may be well-known, and rightly feared, but its method of operation (MO) is widely copied in many, perhaps most, malware attacks these days, and this MO has been in use since malware first became a money-making game. In some senses, an initial infection by nmalware like Emotet is the end of one attack chain, because it doesn’t itself contain specific malware tools such as password stealers, keyloggers, cryptominers or ransomare scramblers. But it is also very much the start of a whole new attack chain, ready to receive and deploy “updates” or “plugins” – new malware samples that may vary over time, by region, by victim’s computer type, or simply at the whim of the criminals in command-and-control.
  • Consider managed threat response (MTR). If you don’t have the time or expertise to keep track of criminality on or against your network on your own, an MTR service can help you ensure that you chase back any attacks that you do detect to their root cause. Sometimes, this might be a weak password or an unpatched server, but often it’s down to “beachhead” malware like Emotet. If you find and remove only the end of the attack chain, but leave the entry point in place, then the command-and-control crooks behind that beachhead malware will simply sell you out to the next cybergang that’s willing to pay the asking price.

Not enough time or staff? Learn more about Sophos Managed Threat Response:
Sophos MTR – Expert Led Response  ▶
24/7 threat hunting, detection, and response  ▶


Sophos products detect and block recent Emotet-related malware at numerous stages in the attack chain. Threat names you can search for in your logs include: Mem/Emotet-B (behavioural detection on Windows), AMSI/Emotet-B (run-time blocking on Windows), Troj/Emotet-* (including -CWN, -CWQ, -CWR, -CWT), Troj/Agent-BIAW and Troj/DocDl-AESR (these detections apply to on-demand and on-access scanning on all laptop, desktop and server platforms, as well as in email and web filtering products). The text DocDl in the last detection name on this list is short for document downloader, which refers to “precursor malware”, typically in the form of a malicious document delivered by email, that attempts to download Emotet if activated by a user. Booby-trapped documents are a common first step seen in Emtotet attacks.


1 Comment

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?