Home Malware Trojan The return of Banking Trojan EMOTET

The return of Banking Trojan EMOTET


Emotet is a banking Trojan malware program which gains access to financial information by injecting computer code into the system, allowing sensitive data to be stolen via transmission. Emotet is a member of the Feodo Trojan family of Trojan malware. This Trojan was observed in 2014, but recently new updates of Emotet have been observed. The earlier variants of EMOTET primarily targeted the banking sector but this time, the malware isn’t being picky about the industries it chooses to attack. The affected companies come from different industries, including manufacturing, food and beverage, and healthcare.

Early variants used malicious spam emails but the latest ones are observed to act as loaders and use various techniques to spread over network and send spam emails. Initial infection vectors are emails disguised as invoice containing a link to download a malicious macro document. Macro document executes PowerShell command line and emotet modules are then downloaded. Once downloaded, EMOTET drops and executes copies of itself into the following folders:

  • If EMOTET has no admin privileges, it will drop the copies into %AppDataLocal%\Microsoft\Windows\{string 1}{string 2}.exe
  • If EMOTET contains admin privileges, it will instead drop the copies into System%\{string 1}{string 2}.exe

It then registers itself as a system service and adds registry entries to ensure that it is automatically executed at every system startup. Once a system is infected, it collects the computer name and running process information, which are encrypted and sent to a C&C server where it also updates itself to the latest version by sending a Post request and showing a 404 error and also determines the type of payload which will be delivered.

Emotet uses Dridex malware as payload, which is used to steal banking credentials by installing a malicious component into the web browser. The malware uses various techniques to stay undetected by packing itself into memory. It acts as a loader and enables various modules. It also updates the main file by changing the name to avoid detection and also uses atombombing technique to inject malicious code.

It uses a worm module to spread on the network. It brute-force attacks an account to break the password and copy itself on a network share. Emotet spreads by email from compromised accounts. The attackers can remotely activate the spam module, which then uses the credentials to send email.

How Emotet works:

emotet malware

Indicators of Compromise:


  • C:\Windows\System32\<randomnumber>\
  • C:\Windows\System32\tasks\<randomname>
  • C:\Windows\\<randomname>
  • C:\users\<myusers>\appdata\roaming\<random>
  • %appdata%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  • <Randomname>.LNK. file in the startup folder

Registry keys

  • HKLM\System\CurrentControlSet\Services “RandomNumbers”
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “RandomNames” with value c:\users\admin\appdata\roaming\<random>\<legitfile>.exe

Below are some steps to protect from the malware:

  • Cut off communication with its command-and-control server: Stop the internet access or disconnect the infected system from network until it will be clean. Understand the requirement of password criticality.
  • New Services or scheduled tasks: Using Event Viewer, check if new services has been created.
  • Update definitions in Endpoint Protection/Antivirus solution used.
  • Real Time Monitoring: Enable Real Time protection in solution used.