Featured Article: Emotnet: A Million Bucks per Incident

Category: newsletter

In the light of a reported recent victory by Europol in trying to stop the particularly dangerous Emotet malware, we look at what it is, how it is spread, and how to try and guard against it.

What Is Emotet?

Emotet is a computer malware program, believed to be Russian in origin, that was originally developed in the form of a banking Trojan. It was first detected in 2014 when customers of German and Austrian banks were affected by the Trojan.  Emotet is a bot/zombie meaning that it is malware which checks back to command-and-control servers operated by cybercriminals and as such, can be given more new instructions on what to do next.

Emotet has traditionally been spread in the first place via infected word documents in emails (phishing) using a number of different lures over time to trick the recipient into clicking on the infected link.  Past email campaigns have included invoices, shipping notices and information about COVID-19.

According to Kaspersky, Emotet is able to continue spreading by using ‘Outlook harvesting’, whereby the Trojan reads emails from users already affected and creates its own (deceptively real) emails, containing an infected Word document with a malicious link, that appears legitimate and personal and stand out from ordinary spam emails. Emotet is then able to send these phishing emails to stored contacts like friends, family members, and work colleagues.

Bots / Zombies That Check Back and Can Be Used as part of a ‘Botnet’.

The infrastructure that has been created by victims who have downloaded Emotet’s bots/zombie malware can mean that a cyber-criminal can choose to use a group of zombie computers as part of a whole botnet i.e., a number of internet-connected devices, each of which is running one or more bots, to launch a variety of different attacks.  This is because once a computer has become infected it is added to the Emotet botnet which uses the particular computer as a downloader for other threats.

When a device is infected (e.g. due to someone clicking on the link in the infected Word document sent via email), a botnet of Emotet infected machines is used to penetrate associated systems using brute-force attacks (DDoS, mass spam emails, click fraud in adverts and more). Emotet then delivers modules to extract passwords from local apps and spreads sideways to other computers on the same network as well as stealing entire email threads to be reused for spam campaigns. Emotet can also be used to provide Malware-as-a-Service (MaaS) to other malware groups to rent access to the Emotet-infected computers.


There are several factors that have made Emotet a particularly dangerous threat.  These include:

– It is polymorphic. This means that its code changes a little every time it is accessed. In this way, it is able to keep evading anti-virus programs.

– The fact that it continually adds infected devices to an ever-growing botnet (Emotnet) and checks back for more instructions means that it is essentially a growing infrastructure that can be repeatedly exploited by cybercriminals, as and when they wish.

– As of February last year, researchers (Binary Search) discovered that Emotet can attack Wi-Fi networks, then scan all wireless networks nearby and use a password list to try and gain access to those networks and the devices on them.  This gives it incredible potential spreading power.

– The extent of the damage that it causes and its spread means that the clean-up operation for Emotet is very expensive.  For example, in the US, the Department of Homeland Security estimates that the cost of the clean-up for Emotet attacks is estimated at around one million US dollars per incident.

What To Do and Checking

The Japanese CERT (Computer Emergency Response Team) has published a tool called EmoCheck which claims to be able to detect the kinds of typical character strings that are associated with a Trojan like Emotet.  This tool can be downloaded from the JPCERTCC Github: https://github.com/JPCERTCC/EmoCheck

If a computer is infected with Emotet, security experts suggest informing those in your personal circle about the infection (due to the email contact threat), isolating the computer from the network, using a separate device to change all login data for all accounts (email accounts, web browsers) and then cleaning all computers connected to the network, one by one, using an antivirus.


Although there is no 100 per cent guaranteed way to protect against a constantly changing polymorphic Trojan like Emotet, there are some measures that can be taken to minimise infection risk.  These include:

– Keep up to date with all computer and security updates and make sure that anti-virus software is up to date.

– Make sure that your data is being regularly backed up to a secure location.

– Only use very strong passwords and don’t share them between different accounts.

– Set the computer to display file extensions by default, thereby allowing possible detection of dubious files, e.g. self-extracting zipped executable files (.exe).

Recent Developments

Europol claims that because of co-ordinated action between itself and Eurojust (the European Union Agency for Criminal Justice Cooperation in the Hague) it has managed to seriously disrupt the Emotet infrastructure, thereby seriously reducing the threat.  Europol says that a collaborative effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine means that investigators have taken control of the Emotet infrastructure thereby disrupting “one of most significant botnets of the past decade”.

See Our Recent Blog Posts