Emotet banking Trojan attack in 2022

The actor behind Emotet is a hacker group known as Mealybug. Since starting in 2014 with the first and simplest version of the Trojan, they have turned their operation into a successful crimeware rink that provides Malware-as-a-Service (MaaS). The group achieved this by creating a botnet of infected computers on Emotet malware infrastructure, which they then sold access to. The botnet runs from three clusters of servers known as Epoch 1, Epoch 2, and Epoch 3. They rented this framework to various ransomware ventures, including the infamous Ryuk gang.

The distribution mechanism of Emotet is through malspam. Emotet ransacks your contacts list and sends itself to your friends, family, coworkers and clients. Since these emails are coming from your hijacked email account, the emails look less like spam and the recipients, feeling safe, are more inclined to click bad URLs and download infected files. If a connected network is present, Emotet spreads using a list of common passwords, guessing its way onto other connected systems in a brute-force ­attack. If the password to the all-important human resources server is simply “password” then it’s likely Emotet will find its way there.

Emotet continues to be among the most costly and destructive malware affecting SLTT governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate. Emotet malware infiltrates computers through a network spreader component which consists of several spreader modules.

The infrastructure that was used by EMOTET involved several hundreds of servers located across the world, all of these having different functionalities in order to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts. The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.

Emotet also uses C&C servers to receive updates. This works in the same way as the operating system updates on your PC and can happen seamlessly and without any outward signs. This allows the attackers to install updated versions of the software, install additional malware such as other banking Trojans, or to act as a dumping ground for stolen information such as financial credentials, usernames and passwords, and email addresses. 

Dr. Deepak Kumar Sahu, President & CEO, VARINDIA