Question

How does Emotet establish connection to the C&C infrastructure?

Answer 1

Emotet gets an initial foothold on a victim machine or network by sending an email containing either a malicious link that leads to a downloader document or that has a malicious document attached. Anti-analysis tactics have been present in Emotet since at least 2015 and, in 2018, Emotet’s payload consists of a packed file containing the main component and an anti-analysis module. The anti-analysis module performs multiple checks to ensure it is not being run on a malware research machine, then loads the main component. Either PowerShell or JavaScript is used to download the Trojan, which delivers a packed payload file to the victim machine. Once on a machine, the latest version of Emotet:

1. Moves itself to its preferred directory
2. Creates a LNK file pointing to itself in the start-up folder
3. Collects victim machine information and sends it to the C&C server

It can then download any new payloads from the C&C server, and execute them. Emotet can download an updated version of itself, or any other threat. Existing versions of Emotet download modules from the C&C server that include:

• Banking module: This module intercepts network traffic from the browser to steal banking details entered by the user. This is what gave Trojan.Emotet its reputation as a banking Trojan.
• Email client infostealer module: This module steals email credentials from email client software.
• Browser infostealer module: This module steals information such as browsing history and saved passwords.
• PST infostealer module: This module reads through Outlook’s message archives and extracts the sender names and email addresses of the messages, presumably to use for spamming.

All information stolen by these modules is sent to the C&C server. Emotet also has a DDoS module that can add the infected machine to a botnet to carry out DDoS attacks.