If you asked malware experts to list the most nefarious and dangerous Trojans, Emotet will be truly present in their list. According to various research, the Emot malware continues to be among the most destructive and costly malware affecting territorial governments, states, locals, as well as public and private sectors. Sneaky and cunning, Emotet malware is hugely spread across the world.
Overview of Emotet
What is Emotet? Emotet is a form of modular banking malware that majorly works as a dropper or downloader of several other banking Trojans. Besides, Emotet is recognized as a polymorphic banking malware that can escape common signature-based identification. The malware boasts various ways of maintaining persistence that include auto start registry keys and services. Emotet utilizes (DLLs) Dynamic Link Libraries to continually advance and update its abilities. Additionally, the Trojan is a virtual machine malware and can produce false indicators if operated in a virtual environment.
Emotet is distributed via malspam (emails that contain malicious links or attachments) that utilizes branding that is conversant with the recipient. This malware has been typically distributed using the MS-ISAC name. Emotet malware was recently seen as of July 2018 where replicate PayPal receipts, past-due invoices and shipping notifications were allegedly sent to various users from MS-ISAC. The first infection often happens when a user clicks or opens malicious PDF files, download links, as well as macro-enabled Microsoft word files in the malspam. After being downloaded, Emotet starts persistence and tries to propagate local networks via integrated spreader modules.
The Type and Source of Infection
Emotet is often distributed via emails, using embedded URLs as well as infected attachments. These emails may seem to originate from reliable sources, as the malware takes control of the email accounts of its victims. This aspect tricks computer users into downloading the deadly Trojan into their PCs. After the malware has infected a networked computer, it will spread using the EternalBlue vulnerability to exploit unique systems. These infected computers try to spread the Trojan laterally through brute forcing of domain credentials as well as externally through the inbuilt spam module. With this tactic, the Emotet botnet is somewhat active and accountable for much of the malspam that users encounter.
Presently, this Trojan utilizes five known spreader modules that include the WebBrowserPassView, Netpass.exe, mail PassView, a credential enumerator as well as outlook scraper.
- WebBrowserPassView is a password retrieval tool that captures the passwords stored by Mozilla Firefox, Internet Explorer, Opera, Google Chrome, and Safari and transmits them to the credential enumerator module.
- Netpass.exe is a genuine utility invented by Nirsoft, and it retrieves all network passwords on a system for the present user that is logged on. This tool also possesses an ability of retrieving passwords stored in credentials file of external hard drives.
- Mail PassView is a password retrieval tool that shows account and password details for several email clients including Windows Mail, Microsoft Outlook, Yahoo mail, Gmail, Hotmail, and Mozilla Thunderbird and transfers the details to the credential enumerator module.
- Credential Enumerator is an independent-extracting RAR that incorporates two components, a service component, and a bypass component. The bypass component is utilized for the listing of network resources and either locate writable share drives by use of SMB (Server Message Block) or attempts to access user accounts including the admin account forcefully. After an available system is located, the Trojan is written on the disk after a service component is written on the system by the malware itself.
- Outlook scraper is a tool that scrapes email addresses and names from the target’s outlook accounts and utilizes the info to transfer extra phishing emails from the compromised email accounts.
The Infection Process of Emotet
In order to sustain the persistence, the malware inserts programs into explorer.exe as well as other functional processes. Emotet can also gather subtle info such as operating system version, system name, and location, and then connect to a remote control and command server. Typically, it connects via a sixteen-letter domain name that often ends in ‘.eu.’ After the malware develops a connection with the control and command server, it reports a new infection, downloads and runs files, receives configuration data, receives data and also uploads data to this server.
Emotet files are often located in arbitrary paths situated off the AppData Roaming directories and AppData\Local. These files typically simulate the names of known executable. Persistence is usually maintained via registry keys or through the scheduled tasks. Besides, this Trojan is known to create randomly-named files in the system root directories operated by the windows services. If the files are executed, the services try to distribute the malware to close systems through accessible admin shares.
The Aftermath of Emotet
Emotet is polymorphic and thus difficult to identify by signatures. Due to various ways this malware propagates via an organization’s network, any infected computer on the network will re-infect computers that have been earlier cleaned when they rejoin the organization’s network. With this tactic, it is essential for IT departments to separate, cover, and remediate every infected system one-by-one. Cleaning an affected network is indeed a process that can take a prolonged time, sometimes even months on the basis of the number of computers involved.
The Consequences of Emotet Malware Infection
- Interruption to the normal operations
- Permanent or temporary loss of proprietary or subtle info
- Financial losses incurred when restoring files and systems.
- Prospective harm to a company’s status
Protection against Emotet
Home and business users already utilizing Malwarebytes are protected from the malware through the anti-exploit technology. The real-time protection also protects malwarebyte users against this Trojan.
Malwarebytes can identify and eradicate Emotet malware on business endpoints without additional user interaction. For you to be effective on networked computers, it is essential to follow these steps.
- Detect the infected computers
- Remove the infected PCs and gadgets from the network
- Patch for Eternal Blue
- Disable administrative shares
- Eradicate the Trojan completely
- Change account details
Solution to Attack by Emotet
MS-ISAC and NCCIC recommend that companies follow the following practices to lower the attack of Emotat as well as other malspam.
- Using group policy object to set up a windows firewall rule to stop the inbound SMB communication amongst the clients.
- Use anti-malware software with automatic updates of software and signature, on servers and clients.
- Apply the right upgrades and patches instantly.
- Install filters at the email gateway to eradicate emails with known malspam indicators.
- The external emails should be marked with a banner to make it easier for users to identify spoofed emails.
- The users should also be given sufficient training concerning phishing and social engineering.
- The file attachments with associated malware such as .exe and .dll file attachments should be blocked.
From the above, it is notable that the Emotet malware is an extraordinarily automated and developing threat targeted to the banks. The malware is seen as an essential weapon for the cybercrime thanks to its small size and dispersal methods. Nonetheless, Emotet does not integrate conceptually modern technology, and thus the utilization of the latest antivirus software can offer the desired defense against the threat. Additionally, Emotet cannot operate effectively without the help of the user; the Emotet inventors have aggressively utilized social engineering techniques to attain their criminal objectives. Therefore, the technical awareness and alertness of the user together with the utilization of proficient antivirus software can offer dependable protection against Emotet as well as other banking threats.