Emotet’s goal: drop Dridex malware on as many endpoints as possible

Updated Friday, Aug. 11 at 7:30 a.m. ET: The significant thing about Emotet is its habit of dropping so many different malware families as payloads wherever it travels. Malware dropped on infected systems by Emotet so far include:

  • Troj/Agent-*
  • Mal/EncPk-ACW
  • Troj/inject
  • Troj/injecto
  • Troj/Wonton
  • Mal/Slenfbot-G

But Dridex is by far the most prevalent payload, and Sophos Global Malware Escalations manager Peter Mackenzie believes the main goal of Emotet’s creator is to get Dridex on as many endpoints as possible. He said:

It’s the equivalent of dropping a cluster bomb of mines onto a target, some will explode right away because of people not watching what they are doing. Most, however, will be removed safely, with a few left over for years in places people forgot to check, waiting for that unlucky victim to step on them.

The fact that most detections occurred because of a few generic accounts with weak passwords is proof the damage a weak password can do especially when the account has admin access.

 We’ll continue to update this article as new details emerge.


Network worms and Trojan malware are back with a vengeance. A good example is WannaCry, which infected hundreds of thousands of computers across the globe in May. Now comes Emotet – malware with worm and trojan characteristics that exploits weak admin passwords to spread across a victim’s network.

SophosLabs has seen a surge in Emotet cases in the past week and has blocked it from customer computers. Its payload is a form of banking Trojan designed to steal a user’s online banking details. Labs researcher Tad Heppner described it this way:

Emotet is a trojan although it also contains the functionality necessary to be classified as a worm.  The primary distinction is that a trojan requires some degree of social engineering to trick a human into enabling the spread of the infection whereas a worm can spread to other systems without the aid of a user. Emotet downloads then executes other payloads, so even though its core component is not directly a worm, it does have the potential to download and execute another component to spread itself to other systems.

How it works

The initial infection is distributed via email spam.  Researchers pieced together the following sequence of events:

  • A spam email containing a download link arrives in the victim’s inbox.
  • The download link points to a Microsoft Word document.
  • The downloaded document contains VBA code that decodes and launches a Powershell script.
  • The Powershell script then attempts to download and run Emotet from multiple URL sources.

The Emotet components are contained in a self-extracting WinRAR archive bundled with a large dictionary of weak and commonly used passwords. (Note: WinRAR is a Windows file compression tool.)

The password dictionary is used to gain access to networked systems. Once it gains access, it copies itself to hidden C$ or Admin$ shares.  The copy is often given the filename my.exe, but other filenames have been used.

Emotet contains an embedded list of strings from which it chooses two words to meld into the filename it will use at the time of initial infection.  The strings chosen are seeded using the hard disk volume ID. As a result, the same hard disk will always result in the same filename for each infected system.

It also downloads a self-updating component capable of downloading the latest copy of itself and other modules.  This component is saved as %windows%\<filename>.exe, where the filename is comprised of 8 hexadecimal digits.

Some of the other modules this component downloads are used to harvest credentials from other known applications or to harvest email addresses from outlook PST files for use with targeted spam.

When the updater component updates the main Emotet component, it replaces the parent file using the same filename comprised of the same strings chosen earlier.  It then installs and runs the updated exe as a Windows service.

Recent Dridex and Qbot infections have also been discovered on Emotet-infected machines. It’s possible that Emotet’s ability to download and execute other payloads is currently being used to deploy geotargeted payloads.

Defensive measures

The attacker behind this outbreak has reacted to Sophos’ detections by creating new variants as the attacks persisted, taking advantage of the Emotet updating feature. They also changed the IP addresses they were downloading payloads from.

Nevertheless, Sophos is protecting customers from the threat and has created a Knowledge Base Article with a full breakdown of variants detected.

SophosLabs detects Emotet components as:

  • Mal/Emotet
  • HPmal/Emotet
  • Troj/EmotMem-A

To guard against malware exploiting Microsoft vulnerabilities in general:

  • Stay on top of all patch releases and apply them quickly.
  • If at all possible, replace older Windows systems with the latest versions.

Other advice:

  • If you receive a Word document by email and don’t know the person who sent it, don’t open it.
  • Block macros in Office documents.

  • Lock down file sharing across the network.

  • Make sure users do not have default admin access.

  • Enforce password best practices.

  • Use an anti-virus with an on-access scanner (also known as real-time protection).

  • Consider stricter email gateway settings.

  • Never turn off security features because an email or document says so.