November 16, 2017 By Douglas Bonderud 2 min read

Banking Trojans are now commonplace. Cybercriminals rely on them because they generate reliable profits. Although users are getting wise to basic techniques, new variants ensure that attackers always have another avenue of compromise.

Consider the ongoing threat of Emotet, which has been making the rounds since 2014. According to Minerva, its latest campaign includes a host of upgrades that make it hard to detect and even harder to stop. The silver lining? Current versions of the code also include a loophole users can leverage to keep their systems clear.

Emotet’s Threat Evolution

The Trojan made a name for itself in 2014 by intercepting network activity and stealing data via DLL injections. Later the same year, the Trojan was upgraded with modular capabilities and code, allowing it to initiate automated banking transfers from victims’ accounts to command-and-control (C&C) servers. Emotet’s authors also ensured that Russian-speaking users were left alone.

By 2015, it included the ability to detect if it was running on a virtual machine used for security testing and contacted fake C&C servers to mislead researchers.

2017 has been a busy year for this Trojan. It gained features including:

  • Sandbox evasion — Download URLs are encrypted, making it harder for security teams to grab malware samples.
  • Exploit inclusion — The Trojan was first to use EternalBlue/DOUBLEPULSAR as part of an organized attack campaign.
  • Improved modules — Recently added modules now steal browser and email credentials.
  • Machine mining — New code lets the malware grab details about victims’ machines, including process names and specifications, and then decides how to proceed.

Now Emotet is staging yet another comeback, this time using a new infection vector: emails that contain a link to malicious documents, rather than attachments. This lets the malware evade standard email security solutions. If users download the malicious file and enable Word macros, the code executes a batch script and PowerShell command with an encrypted script, denoted by an “iex” instruction.

When that proved too obvious, Emotet evolved in less than a week to obscure the encrypted string. Once the Trojan gains a foothold, it may compromise financial and email account information and siphon money directly from bank accounts.

Too Smart for Its Own Good?

Emotet isn’t just popular in isolation; other Trojans such as IcedID also leverage the tool as a distribution mechanism. It makes sense — the rapid pace of evolution makes this malware almost impossible to stop.

But as noted by Help Net Security, work done by the code’s creators to detect sandbox machines and avoid security monitoring has created an opportunity for users.

It works like this: Emotet carries a list of common sandbox-related usernames and hostnames — such as TEQUILABOOMBOOM, admin or SystemIT. If any of these names are detected on user systems, the malware won’t run. In addition, it looks for two file clusters: C:\a\foobar.bmp, C:\a\foobar.gif, and C:\a\foobar.doc; or C:\email.doc, C:\email.htm, C:\123\email.doc and C:\123\email.docx.

If all three files from the first cluster or all four files from the second are detected, the malware assumes it’s being analyzed and does not execute. The result is a kind of cybercriminal catch-22: Running on sandboxes opens the malware up to analysis and detection. Avoiding detection by using highly specific criteria, meanwhile, provides a way for users to sidestep system compromise.

Bottom line? Emotet has effectively outsmarted itself. By creating new usernames or adding file clusters, users can force the Trojan to abort installation. But given its history of rapid iteration and improvement, current tactics are workarounds, not total solutions. Expect Emotet to evolve again.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today