Emotet – Malware as a Service

One of the most virulent carriers of malware is on the loose – again

The popular image of computer hackers is one of pimply geeky nerds sitting in their parents’ basements, guzzling quantities of fizzy drinks and pizza while endlessly typing in passwords in order to access forbidden systems.

The reality is much more sinister. Crime is a serious business, and those pursuing a career in cybercrime may well be part of an enterprise that is more efficiently run and more profitable than the organisations that form their prey.

This is largely due to the evolution of ever more sophisticated tools enabling the threat actors to launch their attacks. One such, which has recently attracted a lot of attention through recent activity is Emotet,  which in itself is not destructive malware, but is a sophisticated method of delivering ransomware and other crippling payloads to their targets.

Although it has retained the same name over the years since its first appearance in 2014, Emotet has evolved over time in its methods of operation and the way it infiltrates its targets. Starting as a method of delivering banking Trojans, it is now capable of delivering double knockout blows simultaneously, such as the TrickBot and Ryuk harvester and ransomware malware, while evading protection software. It’s modular, and thereby easily customisable to perform specific tasks.

These tasks multiply at a terrifying rate – one security software provider counted a total of over 4,900 unique payloads delivered by Emotet in the last two weeks of January 2019. The number continues to grow and Emotet continues to be a major threat.

Who uses Emotet?

As mentioned earlier, the deployers of Emotet are not the Hollywood geeks of fiction. Indeed, like their victims, they are consumers of cloud-based services. There are organisations that maintain and develop new versions of Emotet, making it available to those willing to pay for it.

Malware as a Service (MaaS) is a relatively new development, which opens the doors of crime to anyone with the money to pay for access. No longer does the criminal organisation require inhouse technical expertise, or even high-speed Internet connections, since these are provided by the MaaS providers and come as part of the package.

Clearly this multiplies the number of potential attacks considerably, from a wide variety of sources. Targets, however, are typically those from which the richest pickings can be expected: the USA, Canada, the UK, northern Europe, etc. with other cases reported from China and Brazil.

How does a system get infected?

Sadly, the most common method of infection is still through human beings – the inability to distinguish fake from real.