Discovered in 2014, Emotet is one of the most prolific malware families, infecting computer systems globally through its mass campaigns of spam email that delivers malware (AKA malspam). These campaigns have been widely documented by many organizations, including how Emotet evolved from being a banking Trojan, to a malware loader with modular functionalities. The modular functionality of the malware allows the Emotet operators to install additional malware onto machines that are part of the Emotet botnet. The Emotet operators also provide their botnet as “Malware-as-a-Service” to other cyber-criminal gangs, who install their own malware of choice to the infected systems. For example, Emotet was recently used to deliver the Trickbot Trojan, which was then used to deliver the Ryuk ransomware.
Given Emotet’s destructive capability, incidents within enterprises have cost hundreds and thousands of dollars in recovery costs. The threat of an Emotet infection is significant and it is imperative to understand the Emotet operators’ modus operandi to better defend against it.