EMOTET spreading through spam botnet

The banking malware EMOTET which was first detected in 2014 is back.Researchers at trend micro have discovered a spam campaign targeting all sectors and industries unlike it’s previous variant.

The United States, United Kingdom, and Canada made up the bulk of the target regions, with the US taking up 58% of all our detected infections, while Great Britain and Canada were at 12% and 8% respectively.


These new variants use multiple ways to spread. Its primary propagation method involves the use of a spam botnet, which results in its rapid distribution via email. EMOTET can also spread via a network propagation module that brute forces its way into an account domain using a dictionary attack. EMOTET’s use of compromised URLs as C&C servers likely helped it spread as well.

For a malware with email-spamming and lateral-movement capabilities, infecting business systems and acquiring corporate e-mails translates to larger and more effective spam targeting and a higher chance of gaining information.


The new EMOTET variants initially arrive as spam claiming to be an invoice or payment notification to trick its victims into believing that this is a legitimate email from a supplier.

In the body of this email is a malicious URL that will download a document containing a malicious macro when a user clicks on it. This macro will then execute a PowerShell command line that is responsible for downloading EMOTET.

Once downloaded, EMOTET drops and executes copies of itself into the following folders:

  • If EMOTET has no admin privileges, it will drop the copies into %AppDataLocal%\Microsoft\Windows\{string 1}{string 2}.exe
  • If EMOTET contains admin privileges, it will instead drop the copies into System%\{string 1}{string 2}.exe

The malware will attempt to ease its entry into the system by deleting the Zone Identifier Alternate Data Stream (ADS), which is a string of information that describes the Internet Explorer Trust Settings of the file’s download source. This is one way for the system to find out if a downloaded file is from a high-risk source, blocking the download if it is detected as such.

EMOTET will then register itself as a system service and adds registry entries to ensure that it is automatically executed at every system startup. The typical windows service acts as a “controller” for most hardware-based applications, while others are used to control other applications. The EMOTET malware, on the other hand, uses it for both Elevation of Privilege, and as an autostart mechanism.

EMOTET will list the system’s currently running processes and then proceed to gather information on both the system itself and the operating system used.

It will then connect to the Command & Control (C&C) servers to update to its latest version, as well as to determine the type of payload that it will deliver. One of the possible payloads is the persistent banking trojan known as DRIDEX, which attempts to harvest banking account information via browser monitoring routines. Furthermore, the malware can also turn the infected system into part of a botnet that sends spam emails intended to spread the malware even further. This allows the trojan to spread quickly, as the more systems it can potentially infect, the faster it will propagate. The malware is also capable of harvesting email information and stealing username and password information found in installed browsers

We discovered that in addition to the above payloads, the C&C server is responsible for sending modules that will perform the following routines, which includes:

  • SPAMMING Module
  • Network Worm Module
  • Mail Password Viewer
  • Web Browser Password Viewer


Preventing this malware to infect your machine requires the usual security measures like do not download attachments from unknown email attachments and sources alongwith not clicking on links that are not trusted and always use a good AV solution.



Author: Cognore

Cyber Security Solution

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s