With a new peak of activity for Emotet, several security solution vendors have reported this in recent days: Emotet is back.

Five years after its discovery, it has become a platform for spreading spam and malware.

Identified for the first time in 2014, this banking Trojan has since become a platform for spreading spam and malware .

It is one of the vectors of propagation of ransomware Ryuk .

The first versions were based on a script attached to e-mails imitating payment advice, invoice reminders or notifications of package tracking.

The sources of infection have gradually diversified, notably through the use of macros in the software of the Microsoft Office suite.

After a “summer break”, Emotet began to crack again, relying on Word documents.

To view the content, users are prompted to activate macros:

To avoid arousing the suspicions of his targets, Emotet interferes in conversations they have had in the past.

More and more often, it puts the name of the victim in object or subject.

Emotet: an air of WannaCry

Able to detect VMs and sandboxes, Emotet is also polymorphic.

In other words, it can change its representation to escape detection based on signatures.

The Windows registry and task scheduler allow it to persist on infected systems.

To spread on networks, it uses several tools signed NirSoft:

  • NetPass , designed to recover all network passwords for the current Windows session
  • WebBrowserPassView, to do the same in the main web browsers
  • Mail PassView, for email clients

The credentials collected by this means are communicated to an “enumerator” who tests them on network resources and who seeks, in parallel, possible volumes accessible in writing on SMB via the exploits DoublePulsar and EternalBlue (which also use WannaCry and NotPetya).

The lifespan of these credentials is about a week, according to Cisco Talos.

Emotet sends them to some infected machines to send spam.

Be aware of that Emotet is back.