Emotet first hit networks back in 2014 as a dropper for Banking trojans. However, more recently it appears that the group responsible for the malware has been doing a lot of development and has turned Emotet into an end-to-end service for malware delivery.
Once inside the network, Emotet is extremely annoying to deal with as it has multiple ways of automatically spreading throughout the network and maintains persistence through registry keys and startup tasks. It spreads with credentials/emails harvested with: NetPass.exe, Outlook scraper, WebBrowserPassView, Mail PassView, and Credential enumerator. Additionally, it has been observed dropping supplemental malware that spreads through a modified version of one of the leaked NSA exploits – essentially it uses SMB to force the Domain Controller to download and execute a malicious file. If the 2017 ms17-010 patches have been applied, this SMB exploit should not work.
Some things you can do to guard against this malspam is to have strong spam-filters in place on both inbound and outbound emails, as well as “mark[ing] external emails with a banner denoting it is from an external source. This will assist users in detecting spoofed emails” (us-cert.gov). End user training can also be very effective at stopping these attacks before they even start.
NOTE: If you are dealing with an active infection, the easiest thing to do is isolate, wipe, and reimage the infected systems. It is essential that privileged accounts are not used to log in to compromised systems during remediation as this may accelerate the spread of the malware – remember it spreads using harvested credentials. If you do have to log into the system, make sure the system is taken off the network beforehand and that it isn’t allowed to reconnect until the system has been reimaged.
SecuLore Support Team