Emotet Evolution: Banking Trojan Still Popular

For malware to continue to be relevant in the market and being used in one form or another there has to be an aspect that continues to be a workable feature. If a piece of malware's signature is well-known by the AV producers, and easily red-flagged, there would not be a significant point for continued use.

Emotet, a banking Trojan, has been in use since 2014. To ensure its continued use, the Trojan has not remained static. Over the years this has evolved in various aspects. In September of this year, Emotet presented itself with a new propagation technique. This variant expanded its realm by focusing its efforts on Active Directory with a brute force attack with rainbow tables. This coupled with the EternalBlue exploit and DoublePulsar created a rather pertinent attack.

Since this time, the malware has evolved to maintain its viability post-compromise of the targeted endpoint. For this version, the C&C communication was encrypted, used as updated C&C communication protocol, and obfuscating the code.

The current variant was coded to not be detected by AV. To increase its overall viability, the latest version also checks if it is in a sandbox by reviewing hostnames and files in other directories. This trend with malware evolving is not new and certainly will not cease. The malware has the intent of keeping this attacking in the system. To accomplish this the malware continued to evolve. Without this taking place, the time spent coding this would be for a single set of attacks and a waste of coding which could be used in the long-term.

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.