Pipeline Blog

A Trojan horse named “Emotet” is currently raging

A Trojan horse named “Emotet” is currently raging

Before moving forward it is necessary to explain some term such as a malware one can define it as being a parasite present on a computer, coming spread quickly thanks to (generally) a flaw of another software, or an error of the user .

Thus, a malware is clearly not a precise term, it is a word “generalist” that indicates a problem with multiple consequences. Indeed it is as true as loresque that one associates a spyware (spyware), a worm, a trojan or other with a “virus”.

It is possible to define several kinds of malware, all harmful:

  • Viruses
  • Spyware (software scanning your information softly to send to various organizations)
  • Worms that rely on security vulnerabilities of browsers and e-mails
  • The rootkit
  • Advertisers (constant intrusive advertising)
  • Wabbits (malware reproducing very fast, which unlike a virus are neither applications nor documents.)

Emotet was talked about in 2018 but it seems that he is making a come back. This malware is not new, it was detected the first time in 2014, but has reappeared recently on July 20, 2018.

Emotet: this polymorphous banking trojan threatens banking networks. It seems almost undetectable. The hackers behind the malware Emotet have managed to make the malware undetectable. The majority of antivirus only sees fire … This malware is a variant of older bank Trojans. But this one would have become almost undetectable. His attacking technique is complex and devious: at each attack, Emotet is reworked in a new form, and placed in new documents. What to pass under the radar of 75% of computer security software market.

In practice, antivirus usually works by automatic detection from a list of threats. As soon as a virus or malware is identified, its form is added to the list. This is the form that the antivirus detects when it blocks the attack. It can be a script, a document, an image or even an executable file. Nevertheless, when the malware is hidden in a new form, it is difficult for the antivirus to detect it.

Since 10 septembre 2019, Emotet has been reported on some electronic messaging @ education.lu deployed on behalf of the national education in Luxembourg. This malware is dangerous because it has a very fast propagation capacity, but not only. It is able to download and install, on computers it infects, other malware. Among these software include, for example, ransomware or ransomware that hostage data on the computer of their victims against a monetary ransom.

Security researchers have detected a new spam campaign initiated by this malware considered the most dangerous in the world. According to the researchers, Emotet sends massive emails containing malware as an attachment or download links to malware. As soon as the malware in question is downloaded to a computer or other connected device, it is in turn enlisted by the malware

Why did Emotet disappear for four months?

Since the end of May 2019, Emotet seemed to have disappeared. His activity had stopped, and the sending of contaminated mails had been interrupted.

Many researchers then thought that the creators of Emotet had bowed out by noting the severity with which the authorities were attacking the malware. Unfortunately, it turns out that it was only a short break …

What are Emotet’s targets?

Currently, according to researchers who have detected the return of the malware, trapped emails mainly target German, American, British, Italian and Polish Internet users. Previously, this malware was known to target corporate and government networks.

Even if you do not fall into these categories, it is important to always be alert to the emails you receive. Always review an email carefully before opening it, and make sure you never click on suspicious download links …

A call for vigilance:

To guard against Emotet, like other spam, the vigilance is more than ever de rigueur:

Since its detection, the attacker responsible for the Emotet outbreak has reacted by creating new variants of the Trojan horse as the attacks persist, thus taking advantage of the malware update feature. The IP address from which the payloads were being downloaded has also been modified in response from the attention of the malware researcher.

The components of Emotet are detected as:

  • Mal / Emotet
  • HPmal / Emotet
  • Troj / EmotetMem-A

To guard against malware by exploiting Microsoft vulnerabilities in general:

  • Perform regular updates and apply them quickly.
  • If possible, replace older Windows systems with the latest version.

Other tips include:

  • If you receive a Word document by email without knowing the sender, do not open it.
  • Lock file sharing on your network.
  • Use password practices.
  • Make sure users do not have default admin access.
  • Block macros in Office documents.
  • Consider the strict e-mail gateway settings.
  • Use an antivirus with an on-access scanner (also known as real-time protection).


A Framework for Effective Threat Hunting. Akashdeep Bhardwaj, Sam Goundar. In Network Security 2019(6):15

Security Alerts