What is the Emotet Trojan

What is the Emotet Trojan? The Emotet Trojan is malware that first emerged about five years ago, as a banking trojan. Since that time, the trojan has evolved. Today, Emotet can be found in combination with other banking trojans, information stealers, email harvesters, self-propagation mechanisms, and ransomware. 

What are the Dangers of Emotet?

Covered entities and business associates may be at risk of an Emotet attack because of the unique manner in which Emotet operates. Understanding the mode of operation of Emotet is crucial for risk management purposes under the HIPAA Security Rule, which requires entities to implement administrative, physical, and technical safeguards, to ensure the confidentiality, availability, and integrity of electronic protected health information (ePHI).

Emotet is comprised of socially engineered spam emails. These emails reuse email content that has already been stolen.  This reuse serves to trick targets into thinking that they are responding to a legitimate email.  

Once a victim’s email has been stolen, Emotet acts to construct new attack messages. These messages attack in direct reply to some of the victim’s actual unread email messages, even going so far as to quote blocks of text in the threads of the unread email messages. The virus acts by composing an actual message from the infected account. 

Emotet commandeers existing email messages, complete with actual subject headers and content. Therefore, anti-spam filters have difficulty filtering these messages.

Emotet, in addition to hijacking email accounts, also acts to steal credentials from its victims to send outbound messages. Once the theft is made, Emotet then sends the stolen email credentials to other bots within its network, which in turn allows Emotet to send yet additional malicious messages.

Emotet is unusually sophisticated. AS it operates, it assigns specific roles to its infections, including a spam emitter bot. The bot receives a list of outgoing email credentials – including mail server IP addresses.

What Should Covered Entities and Business Associates Lookout For?

Covered entities and business associates should educate staff to look for signs of an Emotet attack. Specifically, staff should be educated to watch out for emails that:

  • Appear to be unexpected replies to older email threads
  • Seem out of context
  • Come from familiar names, but are sent from unfamiliar email addresses

News of resurgence of Emotet comes at a particularly unfortunate time; in January of 2019, a Malwarebytes Lab report concluded that Trojan malware supplanted ransomware as the greatest hacking threat to the healthcare sector in 2018.  

Complete Compliance Solution

Make sure your business and the tools you use to run it are compliant.

Global CTAs Image