Secure Browsing

Emotet – The Polymorph Strikes Back


We first encountered it a long time ago, in a galaxy far, far away… OK, more like 2014 — a veritable eon ago in cyber terms. Back then, Emotet was a formidable member of the Feodo Trojan malware family, aimed at committing e-banking fraud. Attacking endpoints with impunity, primarily in Germany, Austria and Switzerland, and later spreading to the United States, this initial incarnation intercepted outgoing network traffic while it searched for bank account details. Architecturally, this first version of Emotet was constructed modularly, including an installation module, a banking module, a spambot module and a theft module that harvested email addresses from MS Outlook.

Emotet had profit as its goal. Designed to work unnoticed, the malware transferred funds from infected users’ bank accounts to the foreign accounts of the perpetrators. Stealthily lying in wait until account information could be intercepted, Emotet played cat and mouse with cyber security specialists, even changing the domain name of its C2 server several times in a single day.

During the course of 2014 and early 2015, the cyber defense community caught up with Emotet’s many guises — Cridex, Dridex, ZeuS, Feodo, and Geodo, among others. The malware performed web injects into the HTML pages of financial institutions and used normal web browsing as a way to gain access to endpoints. Defense against the Emotet monster was a standard part of everybody’s EDR solutions. It seemed the malware was on its last legs. Until…


One of the many unpleasant cyber surprises of 2017 was an old familiar face — Emotet was back!

Now phishing for profit as an email attachment—a fake phone bill in pdf format—the 2017 version of the Emotet campaign began by infecting users in the UK. The file attachments, that used very long names to distract users from noticing the ‘.exe’ extension, contained the Emotet loader. Clicking on the ominous attachment directed email recipients to URLs from which malware began downloading to the endpoint.

When Emotet began spreading from the UK to the US, its handlers adjusted their delivery method to pdf attachments containing a link to some javascript. Unsuspecting email recipients were induced to click by the use of clever subject lines, describing an important-sounding (but fake) billing notification.

Within the pdf is a link that returns a .JS file which is laced with gobs of junk data. Running the .JS file creates HTTP GET requests over port 8080 to the IP address of a Command and Control (C2) server in a distant country…

In April 2017, another Emotet variant turned up. Its new distribution method was an MS Office document containing a macro that runs a PowerShell script to download the payload. The malware uses various mechanisms to establish persistence and remain undetected. It unpacks itself directly into memory and drops malicious files in the Windows system. The malware actually changes its name to avoid detection once it has infected a system.

Some of the many technologies and features Emotet exploits to spread, function and avoid detection include:

  • A worm module to spread the malware across the enterprise network
  • A remotely activated spam module that harvests addresses and sends emails
  • An executable that avoids static analysis by resolving functions dynamically at run time
  • A marker to detect if the machine is already infected
  • The ability to spread through networks by brute force on Active Directory domain accounts with a dictionary attack
  • Employment of the EternalBlue / DoublePulsar backdoor combo (recently connected to WannaCry)
  • The ability to check for a sandbox environment to thwart analysis

And the latest in malware fashion: advanced polymorphism.

Polymorphing for Fun — and Profit

What is truly special about the return of Emotet is its advanced polymorphism—the ability to change itself dynamically so as to remain undetected by anti-virus and other EDR solutions. Executables on this scale are true game changers.


Emotet is able to repeatedly mutate while still keeping its primary intent and original algorithm intact. The code changes at every execution, but the function of the code remains the same. By changing certain aspects of its own code each time it runs, Emotet defies even the strongest detection-based security solutions.

Intrusion detection and prevention systems (firewalls, anti-viruses, etc.) identify malicious code by matching code patterns, and process and file hashes, with known malware. As new strains of malware are encountered, they are added to global threat intelligence databases, enabling cyber security systems to quickly detect attacks based on experience. However, in the case of polymorphing code, the constant mutations keep the cyber security systems in the dark by forcing them to play a “whack-a-mole” game they can never win. No sooner do they catch onto Emotet’s latest mutation, then it morphs and disappears into anonymity yet again.


Many threat analysis products use a very short sleep period, waking up frequently to try to catch malware in action. Emotet is cleverly designed to sleep for a long period of time to avoid detection. That anti-detection tactic is easy. To really outsmart analysis techniques, Emotet can actually check when the scanner begins to monitor activities. That’s when it goes into suspended animation.

A tried and trusted method to safely check potential malware—putting it into a virtual environment such as a sandbox— simply doesn’t work on Emotet, since it has an antidote for that, too. Emotet can check if it is in a sandbox environment and, if so, it will refuse to function.

IP Addresses in Motion

In the past, malware could be identified and tracked by the IP addresses that it used for Command and Control and transmission of data. But this method of cyber defense is falling by the wayside. More than 100,000 new malicious IP addresses are created every day, indicating that cyber criminals are greatly expanding the number of new IPs to avoid detection. Emotet can jump back and forth among hundreds of C2s at warp speed.

Protection from Polymorphic Malware

Despite Emotet’s anti-detection smarts, leading cyber security vendors have developed a number of techniques to detect the presence of Emotet (and polymorphic malware in general). They look for signs of:

  • Code permutation
  • Register renaming
  • Code expansion
  • Garbage code
  • Code shrinking
  • Generic decryption scanning
  • Emulation
  • Negative heuristic analysis
  • Memory block hashing

Another useful means of detection is behavior-based analytics where, instead of looking for signatures, processes are watched for suspicious behaviors.

Best Practices

To protect against polymorphic malware, enterprises must adopt an approach to cyber security that combines user behavior, processes, and technology.

  • Train users not to click on suspicious links or attachments.
  • Keep all software on all endpoints current at all times.
  • Enforce the use of strong passwords and ensure that users change them regularly. Multi-factor authentication is even better.
  • Deploy behavior detection tools that can discover threats in real time.
  • Implement remote browser isolation for all web browsing. Even if a user succumbs to an Emotet email campaign (or other polymorphic malware) that directs them to a shady website, any javascript from that site will remain caged inside a disposable container running on a remote server, secluded from the endpoint. Since the isolated virtual browser renders all web content remotely, only passing a benign stream of webpage images to the user device, no active code or scripts ever reach the endpoint, and organizational systems stay safe and sound. A New Hope, if you will…


If you liked this article you might also be interested in some of our latest blog posts:

Mendy Newman

Mendy Newman

Group CTO, International | Ericom Software