Exploring Emotet, an elaborate everyday enigma

Thursday 3 October 14:30 - 15:00, Green room

Luca Nagy (Sophos)

The Emotet trojan is the most widespread malware family in the wild. It has been, and is still, the most notorious and costly malware since its appearance more than five years ago. Emotet owes its reputation to its constant state of evolution and change. The malware's rapid advancement helps support its highly sophisticated operation.

In this presentation, I'll walk attendees through my investigation of the Emotet family and reverse engineering of its components. I'll discuss the capabilities and features of Emotet: a detailed overview of its multi-layered operation, starting with the spam lure, the malicious attachments (and their evolution); and the malware executable itself, from its highly sophisticated packer to its C&C communications.

Emotet is well-known for its modular architecture, worm-like propagation, and highly skilled persistence techniques. The recent versions spread rapidly using multiple methods. Besides its capability to spread by brute forcing using its own password lists, it can harvest all the emails from victims, then spread through spam. Its diverse module list hides different malicious intentions, such as information stealing including credentials from browser or email clients, spreading capabilities, or delivering other malware as well as ransomware or other banking trojans.

Finally, I will dissect the background operation of the payload modules. I’ll also present statistics from Sophos about its global reach.




Luca Nagy

Luca Nagy has been working as a threat researcher at the Hungarian site of SophosLabs. She has recently finished her studies in computer engineering, during which she developed an interest in IT security and a passion for malware analysis. At SophosLabs, Luca spends her time reverse engineering emerging threats and creating detections against them. She is also highly interested in memory forensics and exploits.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.