{"id":71757,"date":"2022-05-10T14:54:39","date_gmt":"2022-05-10T21:54:39","guid":{"rendered":"https:\/\/forescoutstage.wpengine.com\/?p=71757"},"modified":"2022-05-13T12:44:38","modified_gmt":"2022-05-13T19:44:38","slug":"emotet-the-return-of-the-worlds-most-dangerous-malware","status":"publish","type":"post","link":"https:\/\/www.forescout.com\/blog\/emotet-the-return-of-the-worlds-most-dangerous-malware\/","title":{"rendered":"Emotet: The Return of the World’s Most Dangerous Malware"},"content":{"rendered":"

In our new threat briefing report<\/a>, Forescout\u2019s Vedere Labs analyzes an Emotet sample<\/a>, presents a list of IoCs extracted from the analysis and discusses mitigation.<\/p>\n

Emotet<\/a> is the name of both a cybercrime group and a malware loader it distributes. The group is also known as MUMMY SPIDER<\/a>, while the malware is also known as Geodo or Heodo. According to CISA, Emotet is among the most costly and destructive malware<\/a> used against the private and public sectors, with individual incidents costing up to $1 million to remediate. According to Europol, Emotet is the world\u2019s most dangerous malware<\/a>.<\/p>\n

The malware is disseminated through malicious emails that typically have a financial theme, such as receipts and invoices, or follow current events<\/a>, such as tax season scams and donation requests for refugees. Infection happens when a victim opens a document attached to the email that contains malicious macros that, in turn, execute the malware downloader. After download, Emotet persists on the infected machine, communicates with a C2 server to receive instructions and attempts to spread on the local network.<\/p>\n

Emotet started in 2014 as a banking trojan used to steal credentials, but it has evolved through several mutations<\/a> and additional DLL modules<\/a> to become a botnet capable of delivering other malware, such as TrickBot or IcedID, and ransomware, such as Ryuk. This capability is so important that Emotet is often considered \u201cinfrastructure as a service\u201d for initial access and malware distribution.<\/p>\n

The botnet was taken down by police action in January 2021<\/a>, but the threat actor rebuilt its infrastructure and returned in November 2021. Emotet started adding more bots around January, and the number has been increasing steadily. At its previous peak before the police action, Emotet infected millions of devices. Since its resurgence, there are now approximately 130,000 bots<\/a>, which can propagate the malware by spamming targets, be used for lateral movement in targeted organizations or be promoted to proxy C2 servers. The number of Emotet infections tripled in March 2022<\/a> over the previous month.<\/p>\n

Forescout recommends that organizations use the following steps to mitigate risks:<\/p>\n