Beware! Your website might be delivering Emotet malware


Estimated reading time: 11 minutesIn 2018, we saw a surge in Emotet activity. Emotet started as a banking trojan but this blog will shed light on how it has also become a “threat distributor”. We will also discuss server-side and client-side activity and how it spreads. Its self-propagation makes it all the more challenging for security vendors to detect it statically. We will explain how the URLs in the spam emails, malware hosted on these URLs are constantly changing and the use of brute forcing for lateral movement. What is Emotet? Emotet malware campaign has existed since 2014. It comes frequently in intervals with different techniques and variants to deliver malware on a victim. We see attackers using complex techniques to evade detection. It has evolved from a standalone banking trojan to complex threat distributor. At the start of 2017, we had seen the Emotet campaign spreading through malspam email with attached PDF and JS file. In 2018, it is spreading through MS Office Word documents with a heavily obfuscated macro inside it. The mail also consists a URL which downloads the MS Office (Word, Excel) documents. US-CERT had issued an alert highlighting how Emotet is a serious threat. What makes it a more complex distributor? The malware shows persistent infection and is very aggressive in terms of changing the URLs and the payloads delivered by them at regular intervals making it difficult for static detection. We also saw credential theft of the network, email account credentials and passwords stored in web browsers. It attempts to spread internally throughout the network via brute force attacks using stolen credentials. It hijacks the email ids by scraping names and email addresses from the victim’s Outlook account and then using the account to send out more malspam, essentially turning victims into spammers. Infection Vector: Fig. 1 Emotet Complete Life Cycle The campaign is divided into two stages. Attack on the website. Attack on the victim’s machine. (Already discussed in our previous blog) These compromised websites were used for hosting the latest malware. These malware are downloaded as a document and then as an executable of Emotet in the later stage of spreading the malware. Why Emotet is targeting PHP based websites?  Approximately 70%-80% of the websites are developed using PHP. Even content management systems like Joomla, WordPress run on PHP. PHP being a server-side scripting language executes code on the server and gives HTML as a response. If the attacker succeeds to execute malicious code on (PHP) server then he can get admin access of the server. To execute malicious code on the server vulnerabilities are targeted. Like in WordPress and Joomla plugins many vulnerabilities are found which can be exploited. Some of them are “Arbitrary File Upload Vulnerability”, “Direct access to XMLRPC.php”, “Remote privilege escalation vulnerability”, “Cross-site scripting” and “Information disclosure vulnerability”. During the analysis, we inspected that it uses latest vulnerabilities exploit-db and rapid7. Also, in the code it carries links like “”. Usually these vulnerabilities are not patched by the website owners as updating to latest plugins might affect their website themes. That’s why these websites are easily targeted which can be used as free and undetectable infrastructure to harvest different malware. How Emotet is compromising websites and used as a threat distributor?  When a user accesses the URL, it goes as a “Get” request to the server. The server reads URL and executes PHP page associated with the current request. e.g. When user accesses “”, on server-side webserver checks login.php page. If it is present then executes code on the server and sends HTML as response. Generally, we can’t access PHP code directly as its access is restricted by the server. To plant a backdoor script on PHP based websites/server, the attacker needs to upload the backdoor script on PHP server using any of the above-mentioned vulnerabilities.  Then the attacker needs to send a request for that resource (backdoor script) which will execute on PHP server and gives access to PHP server along with the server’s admin id and password. It will in turn download more malicious content from CnC server. Emotet may targeting PHP websites by uploading the backdoor script to vulnerable websites. The attacker may use vulnerability…

Article Link: