Emotet returns at a rate of 100,000 targets a day.

Starting as a banking trojan in 2014, Emotet has come and gone through the years. They will be very active for a few months, disappear, and repeat.

Awareness is key in defending against persistent threats, and understanding their patterns and motives makes them more predictable.

Emotet’s advantage comes in its ability to install many forms of malware on machines. Information stealers, email harvesters, self-propagation mechanisms, and ransomware are the most popular among Emotet appearances.

The Emotet botnet uses secondary payloads like TrickBot, Qakbot, and Zloader. TrickBot is a younger banking trojan with an origin in 2016. Along with Emotet, Trickbot has made transformations to avoid certain security tools and make their way into networks easier.

When Trickbot was being heavily implemented in attacks during the month of October, Microsoft made an attempt to dismantle Trickbot’s C2 servers and were quite successful. 94% of TrickBot servers were taken down due to their efforts.

Emotet and Trickbot also have an association with other threat groups, like Ryuk, who has been a terror for the healthcare sector in 2020.

A tactic discovered by security researchers came in the form of jumping into an email thread to act in response to a targeted sender.

Emotet’s usual entrance comes via social engineering and getting users to enable macros. This leads us to believe an appearance before Christmas is an attempt to take advantage of unaware users and the lack of IT and security personnel off work for the holiday.

Luckily, SpearTip’s Security Operations Center (Soc) is open 24/7. If you experience an incident over the holiday, calling us to mitigate threats and remediate networks is a great option. Our engineers work tirelessly to defend partners from persistent threats. And, not only are our cybersecurity experts continuously preventing cyberattacks, but they’re also able to deploy our proprietary tool, ShadowSpear® in an environment before or after an attack.