{
	"id": "8edd5e4f-0093-40f2-9e57-18310b7f0b67",
	"created_at": "2026-04-06T00:21:38.637046Z",
	"updated_at": "2026-04-10T03:20:56.667178Z",
	"deleted_at": null,
	"sha1_hash": "a02a2ab024407bb1528231c11b6fa2fe12df457e",
	"title": "Malware Analysis Spotlight: Emotet’s Use of Cryptography",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2734414,
	"plain_text": "Malware Analysis Spotlight: Emotet’s Use of Cryptography\r\nBy VMRay Labs\r\nPublished: 2022-02-02 · Archived: 2026-04-05 23:41:00 UTC\r\nEmotet’s Use of Cryptography Presented by the VMRay Labs Team\r\nThe group behind Emotet is the prime example of a very successful criminal enterprise. Emotet started out as a\r\nbanking malware but over time evolved into a large botnet providing something akin to a malicious IaaS\r\n(Infrastructure-as-a-Service). It started providing access to its extensive list of infected devices to other threat actors\r\nand their malware (Trickbot, Dridex, IcedID). It started acting as their loader. Since the beginning of 2021, after a\r\nlonger “break” which was the consequence of a coordinated take down of Emotet’s infrastructure by the law\r\nenforcement, Emotet resurfaced on the 14th of November 2021. Actively trying to rebuild its own infrastructure\r\nutilizing Trickbot. Many of the techniques stayed the same, but there are also some important differences.\r\nThe Emotet binaries, which were distributed starting from November 2021, come with two embedded elliptic-curve-based public keys of the server. The previous versions were using RSA as the primary asymmetric scheme. An RSA\r\npublic key was embedded in the sample and used to encrypt the generated AES-128 key before sending it back to its\r\nC2. For message integrity, the packet was hashed with the SHA1 algorithm and the hash was appended to the request\r\nmessage. The new version comes with two public keys. One key is used for the Elliptic Curve Diffie–Hellman\r\n(ECDH) key exchange protocol while the other is used as part of the signature verification by the Digital Signature\r\nAlgorithm (DSA). In this blog post, we’ll be looking at how Emotet uses elliptic curve cryptography to protect the\r\nnetwork communication and verify the authenticity and integrity of the commands received from its C2.\r\nView the Analysis\r\nBackground\r\nhttps://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-emotets-use-of-cryptography/\r\nPage 1 of 6\n\nComparison: Past vs Present\r\nSince the cryptographic part has changed in the newest version of Emotet we are providing a high level overview of\r\nthe key steps taken by the older and new versions.\r\nThe previous version of Emotet that were using RSA roughly followed the following steps when encrypting a\r\nmessage:\r\n1. It generates a 128-bit AES key.\r\n2. Encrypts it with the server’s public key.\r\n3. Constructs the message sent to the server.\r\n4. Encrypts the message and hashes the message.C = SHA1(M) || AES128(M), where C is the resulting\r\nciphertext and M is the plaintext message\r\n5. This results in the following request packet.R = RSA(AESkey) || C\r\nFor the newest version the flow and the packets it generates are different as seen below:\r\n1. It first generates its own ECDH public/private key pair.\r\n2. Then it generate an AES key based on a secret agreement.\r\n3. Constructs the message and hashes it.\r\n4. Encrypts the resulting payload: C = AES256(SHA256(M) || M)\r\n5. Request packet is then given by: R = ECDHmal_pub_key || C || \u003crandom bytes\u003e\r\nElliptic Curve Diffie-Hellman (ECDH) Key Exchange\r\nFor the ECDH to work, the two communicating parties need to each have a key pair, a private and a public key. The\r\npublic keys are points on an elliptic curve and are generated based on the private keys. The public keys are\r\nexchanged, i.e., known by both parties. For example, if s is a private key and P is a primitive element on the curve,\r\nthen the public key S is calculated as sP=S, which is simply adding P to itself a times. The addition is a group\r\noperation. If both parties generate their public keys that way based on known domain parameters, they can calculate\r\nthe same secret T(SM) (1).\r\nhttps://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-emotets-use-of-cryptography/\r\nPage 2 of 6\n\nThe malware already has the ECDH public key of the server. Its own key pair is generated during the execution.\r\nAnalogues to the example above, it can now generate a secret from the public key of the server and its own private\r\nkey. Now it only needs to sends its public key to the server for the server to also be able to derive the same secret.\r\nImplementation\r\nUsage of ECDH\r\nThe Emotet’s cryptographic components are now utilizing Microsoft’s Cryptography API: Next Generation (CNG),\r\nmost notably the BCrypt cryptographic primitive functions. Initially, the malware decrypts the two embedded public\r\nkeys of the server (ECDH and ECDSA). It uses the same decryption method as with other strings. The keys are\r\nsaved inside a BLOB structure which consists of a BCRYPT_ECCKEY_BLOB header immediately followed by the\r\nkey data (Figure 2).\r\nThe ECDH public key of the server is passed to a function responsible for generating the symmetric key (256-bit\r\nAES key). On a higher-level it can be described by the following steps:\r\n1. Generate a new ECDH key pair for the malware.\r\n2. Generate a secret agreement based on the malware’s private key and the server’s public key.\r\n3. Derive an AES key from the secret agreement using SHA256 as the key derivation function (KDF).\r\nIn more detail, this function’s first step is to generate an ECDH key pair that is unique to the malware sample.\r\nIt does so by calling BCryptOpenAlgorithmProvider to initialize a CNG provider with the AlgId ECDH_P256\r\nwhich corresponds to the prime256v1 or P-256 elliptic curve. Next, it generates a new key pair using the\r\ncombination of BCryptGenerateKeyPair and BCryptFinalizeKeyPair. The keys are then exported into a\r\nBLOB using BCryptExportKey for later use (Figure 3).\r\nhttps://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-emotets-use-of-cryptography/\r\nPage 3 of 6\n\nHaving finalized its key pair, it now imports the servers public key to be able to use it in the generation of a shared\r\nsecret. It’s using BCryptImportKeyPair that gets the public key as one of the arguments and returns a handle to it.\r\nThis handle can then be passed to BCryptSecretAgreement together with a handle to it’s own key which it got in the\r\nprevious step from calling BCryptExportKey (Figure 4). At this stage the secret agreement is equal to the T(SM)\r\nvalue from Figure 1 and Emotet can start deriving a symmetric key.\r\nUsage of the Elliptic Curve Digital Signature Algorithm (ECDSA)\r\nThe server’s ECDSA public key is used to verify the response messages the malware receives. The server’s DSA\r\npublic key is imported just like ECDH public key was. When an encrypted response from the server arrives, it is first\r\ndecrypted with BCryptDecrypt (no padding is used). It then calculates the SHA256 hash of the decrypted data and\r\nuses BCryptVerifySignature to verify the integrity and authenticity, i.e., that it matches with the embedded signed\r\nhash – signature (Figure 6).\r\nhttps://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-emotets-use-of-cryptography/\r\nPage 4 of 6\n\nConclusion\r\nWe have looked at one of the updated components of Emotet which involves the usage of cryptography. The most\r\nobvious element is that the malware developers switched from the RSA algorithm to using elliptic curves. Emotet\r\nhas been encrypting its communication for a long time, but the recent change might be due to a lot of factors like,\r\ne.g., smaller key sizes and better security. The C2’s response is now checked for its integrity and authenticity by\r\nusing ECDSA with a separate key. While using ECDH the symmetric key is never transmitted over the wire and\r\ninstead the server generates the key from the public key of the malware. We have also observed the switch from\r\nCryptoAPI to CNG, which might be due to the fact that the CryptoAPI has been officially deprecated or that it\r\nsimply didn’t support elliptic curve cryptography.\r\nIOCs\r\nInitial Sample 7443d5335a207cca176825bd774a412e72882c815206c7f59ace1feb111bb4e9\r\nServer’s ECC keys\r\nECDH:\r\n86M1tQ4uK/Q1Vs0KTCk+fPEQ3cuwTyCz+gIgzky2DB5Elr60DubJW5q9Tr2dj8/gEFs0TIIEJgLTuqzx+58sdg==\r\nECDSA:\r\nQF90tsTY3Aw9HwZ6N9y5+be9XoovpqHyD6F5DRTl9THosAoePIs/e5AdJiYxhmV8Gq3Zw1ysSPBghxjZdDxY+Q==\r\nReferences\r\nhttps://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-emotets-use-of-cryptography/\r\nPage 5 of 6\n\nhttps://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-003.pdf\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/world%e2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/11/trickbot-helps-emotet-come-back-from-the-dead/\r\nhttps://link.springer.com/book/10.1007/978-3-642-04101-3\r\nhttps://nakedsecurity.sophos.com/2017/08/10/watch-out-for-emotet-the-trojan-thats-nearly-a-worm/\r\nhttps://unit42.paloaltonetworks.com/unit42-malware-team-malspam-pushing-emotet-trickbot/\r\nhttps://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-exploring-emotet-elaborate-everyday-enigma/\r\nhttps://docs.microsoft.com/en-us/windows/win32/seccng/about-cng\r\nhttps://docs.microsoft.com/en-us/windows/win32/seccng/cryptographic-primitives\r\nhttps://docs.microsoft.com/de-de/windows/win32/api/bcrypt/ns-bcrypt-bcrypt_ecckey_blob\r\nSource: https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-emotets-use-of-cryptography/\r\nhttps://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-emotets-use-of-cryptography/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-emotets-use-of-cryptography/"
	],
	"report_names": [
		"malware-analysis-spotlight-emotets-use-of-cryptography"
	],
	"threat_actors": [],
	"ts_created_at": 1775434898,
	"ts_updated_at": 1775791256,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a02a2ab024407bb1528231c11b6fa2fe12df457e.pdf",
		"text": "https://archive.orkl.eu/a02a2ab024407bb1528231c11b6fa2fe12df457e.txt",
		"img": "https://archive.orkl.eu/a02a2ab024407bb1528231c11b6fa2fe12df457e.jpg"
	}
}