Emotet first hit networks back in 2014 as a dropper for Banking trojans. However, more recently it appears that the group responsible for the malware has been doing a lot of development and has turned Emotet into an end-to-end service for malware delivery.
Once inside the network, Emotet is extremely annoying to deal with as it has multiple ways of automatically spreading throughout the network and maintains persistence through registry keys and startup tasks. It spreads with credentials/emails harvested with: NetPass.exe, Outlook scraper, WebBrowserPassView, Mail PassView, and Credential enumerator. Additionally, it has been observed dropping supplemental malware that spreads through a modified version of one of the leaked NSA exploits – essentially it uses SMB to force the Domain Controller to download and execute a malicious file. If the 2017 ms17-010 patches have been applied, this SMB exploit should not work.
The easiest place to stop this malware is at the initial infection attempt. The initial infection is spread through malspam that contains a malicious pdf or a macro enabled word document which uses either JavaScript (in the case of the pdf) or PowerShell (in the case of the word document) to download the Emotet executable.
Some things you can do to guard against this malspam is to have strong spam-filters in place on both inbound and outbound emails, as well as “mark[ing] external emails with a banner denoting it is from an external source. This will assist users in detecting spoofed emails” (us-cert.gov). End user training can also be very effective at stopping these attacks before they even start.
NOTE: If you are dealing with an active infection, the easiest thing to do is isolate, wipe, and reimage the infected systems. It is essential that privileged accounts are not used to log in to compromised systems during remediation as this may accelerate the spread of the malware – remember it spreads using harvested credentials. If you do have to log into the system, make sure the system is taken off the network beforehand and that it isn’t allowed to reconnect until the system has been reimaged.
Stay cyber-safe,
Other Alerts
Cyber-Protecting Our Nation’s Critical Infrastructure
At SecuLore, our mission is to cyber-protect our nation’s critical infrastructure. Led by experts in 9-1-1 technology, cyberwarfare, and ethical hacking, our team provides the technology, expertise, and training needed to defend customers from increasingly sophisticated cyber threats.