{
	"id": "db7c7a8f-060d-4f6e-993c-ecb5e1b90df5",
	"created_at": "2026-04-06T00:11:56.739162Z",
	"updated_at": "2026-04-10T13:11:33.836845Z",
	"deleted_at": null,
	"sha1_hash": "5b2e88005909af59e6232b3225736c80b0d87962",
	"title": "MS-ISAC Security Primer- Emotet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 782754,
	"plain_text": "MS-ISAC Security Primer- Emotet\r\nArchived: 2026-04-05 22:23:14 UTC\r\nPublished on December 12, 2018\r\nOverview\r\nEmotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial\r\n(SLTT) governments. Its highly infectious nature makes it difficult to combat and has cost SLTT governments up\r\nto $1 million per incident to remediate due to its worm-like features resulting in rapid, network-wide infections.\r\nEmotet is an advanced, modular banking trojan that primarily functions as a downloader or dropper of other\r\nbanking trojans. Additionally, Emotet is polymorphic allowing it to evade typical signature-based detection. It has\r\nseveral methods for maintaining persistence, including auto-start registry keys and services. The trojan uses\r\nmodular Dynamic Link Libraries (DLL) to continuously evolve and update its capabilities. Furthermore, Emotet is\r\nVirtual Machine (VM) aware and can generate false indicators if run in a virtual environment.\r\nEmotet is disseminated through malspam (emails containing malicious attachments or links) that uses branding\r\nfamiliar to the recipient, including the MSISAC name. As of July 2018, the most recent campaigns imitate PayPal\r\nreceipts, shipping notifications, or “past-due” invoices purportedly from the MS-ISAC. Initial infection occurs\r\nwhen a user opens or clicks the malicious download link, XML, PDF, or macro enabled Microsoft Word document\r\nincluded in the malspam. Once downloaded, Emotet establishes persistence and attempts to propagate the local\r\nnetworks through incorporated spreader modules.\r\nCurrently, there are five known spreader modules:\r\nhttps://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/\r\nPage 1 of 5\n\nNetPass.exe: a legitimate utility developed by NirSoft that recovers all network passwords stored on a\r\nsystem for the current logged-on user. This tool can also recover passwords stored in the credentials file of\r\nexternal drives.\r\n Outlook scraper: a tool that scrapes dates, names, email addresses, and email bodies from the victim’s\r\nOutlook accounts and uses that information to send out additional phishing emails from the compromised\r\naccounts.\r\nWebBrowserPassView: a password recovery tool that captures passwords stored by Internet Explorer,\r\nMozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module.\r\nMail PassView: a password recovery tool that reveals passwords and account details for various email\r\nclients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail\r\nand passes them to the credential enumerator module.\r\nCredential enumerator: a self-extracting RAR file containing two components, a bypass, and a service\r\ncomponent. The bypass component is used for enumeration of network resources and either find writable\r\nshare drives using Server Message Block (SMB) or tries to brute force user accounts, including the\r\nadministrator account. Once an available system is found, Emotet then writes the service component on the\r\nsystem, which writes Emotet onto the disk. Access to SMB can result in entire domains (servers and\r\nclients) becoming infected.\r\nTo maintain persistence, Emotet injects code into explorer.exe and other running processes. The trojan can also\r\ncollect sensitive information including system name, location, and operating system version, sending it to a\r\nremote command and control server (C2). The C2 is a compromised web server, commonly hosting Nginx, and\r\nthe connection is over a common web port to a URL containing the IP address. Once Emotet establishes the\r\nconnection with the C2, it reports a new infection, receives configuration data, downloads and runs files, receives\r\ninstructions, and uploads base64 encoded data to the C2 server.\r\nEmotet artifacts are typically found in arbitrary paths located off of the AppData\\Local and AppData\\Roaming\r\ndirectories and mimicking names of known executables. Persistence is typically maintained through scheduled\r\ntasks or via registry keys. Additionally, Emotet creates randomly-named files in the system root directories that are\r\nrun as windows services. When executed, these services attempt to propagate the malware to adjacent systems via\r\naccessible administrative shares. It is essential that privileged accounts are not used to login to compromised\r\nsystems during remediation as this may accelerate the spread of the malware.\r\nhttps://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/\r\nPage 2 of 5\n\nRecommendations:\r\nThe MS-ISAC recommends organizations adhere to the following general best practices, to limit the effect of\r\nEmotet and similar malspam in your organization.\r\nUse Group Policy to set a Windows Firewall rule to restrict inbound SMB communication between client\r\nsystems. If using an alternative host-based intrusion prevention system (HIPS), consider implementing\r\ncustom modifications for the control of client-to-client SMB communication. At a minimum create a\r\nGroup Policy Object that restricts inbound SMB connections to clients originating from clients.\r\nUse antivirus programs on clients and servers, with automatic updates of signatures and software.\r\nDisable all macros except those which are digitally signed.\r\nhttps://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/\r\nPage 3 of 5\n\nApply appropriate patches and updates immediately after appropriate testing.\r\nImplement filters at the email gateway to filter out emails with known malspam indicators, such as known\r\nmalicious subject lines, and block suspicious IP addresses at the firewall.\r\nIf you do not have a policy regarding suspicious emails, consider creating one and specifying that all\r\nsuspicious emails should be reported to the security and/or IT departments.\r\nMark external emails with a banner denoting it is from an external source. This will assist users in\r\ndetecting spoofed emails.\r\nProvide social engineering and phishing training to employees. Urge them to not open suspicious emails,\r\nclick links contained in such emails, post sensitive information online, and to never provide usernames,\r\npasswords and/or personal information to any unsolicited request. Teach users to hover over a link with\r\ntheir mouse to verify the destination prior to clicking on the link.\r\nAdhere to the principle of least privilege, ensuring that users have the minimum level of access required to\r\naccomplish their duties. Limit administrative credentials to designated administrators.\r\nImplement Domain-Based Message Authentication, Reporting \u0026 Conformance (DMARC), a validation\r\nsystem that minimizes spam emails by detecting email spoofing using Domain Name System (DNS)\r\nrecords and digital signatures.\r\nAdhere to best practices, such as those described in the CIS Controls, which are part of the CIS\r\nSecureSuite.\r\nIf a user opened a malicious email or an infection is believed to exist, we recommend running an antivirus scan on\r\nthe system and take action based on the results to isolate the infected computer. If multiple machines are infected:\r\nConsider temporarily taking the network offline to perform identification, prevent reinfections, and stop the\r\nspread of the malware. Emotet could be dropping malware with Remote Access Trojan (RAT) capabilities\r\ndamaging the integrity of the overall network.\r\nIdentify, shutdown, and take the infected machines off the network.\r\nDo not log in to infected systems using a domain or shared local admin accounts.\r\nAfter reviewing systems for Emotet indicators, reimage and move clean systems to a containment VLAN,\r\nsegregated from the infected network.\r\nIssue password resets for both domain and local credentials.\r\nAs Emotet scrapes additional credentials, consider password resets for other applications that may have had\r\nstored credentials on the compromised machine(s).\r\nReview log files and the Outlook mailbox rules associated with the user account to ensure further\r\ncompromises have not occurred. It is possible that the Outlook account may now have rules to auto-forward all emails to an external email address, which could result in a data breach.\r\nSearch base64 encoded network stream data referencing the organization’s email domain. If references are\r\nfound, perform additional analysis to see if a data breach has occurred.\r\nThe MS-ISAC is the focal point for cyber threat prevention, protection, response, and recovery for the\r\nnation’s state, local, tribal, and territorial (SLTT) governments. More information about this topic, as well as\r\n24×7 cybersecurity assistance for SLTT governments, is available at 866-787-4722, SOC@cisecurity.org,\r\nor https://www.cisecurity.org/ms-isac/. The MS-ISAC is interested in your comments – an anonymous feedback\r\nsurvey is available.\r\nhttps://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/\r\nPage 4 of 5\n\nAs of June 23, 2025, the MS-ISAC has introduced a fee-based membership. Any potential reference to no-cost\r\nMS-ISAC services no longer applies.\r\nSource: https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/\r\nhttps://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/"
	],
	"report_names": [
		"ms-isac-security-primer-emotet"
	],
	"threat_actors": [],
	"ts_created_at": 1775434316,
	"ts_updated_at": 1775826693,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5b2e88005909af59e6232b3225736c80b0d87962.pdf",
		"text": "https://archive.orkl.eu/5b2e88005909af59e6232b3225736c80b0d87962.txt",
		"img": "https://archive.orkl.eu/5b2e88005909af59e6232b3225736c80b0d87962.jpg"
	}
}