What is Emotet? | IT PRO | #microsoft | #hacking | #cybersecurity | #education | #technology | #infosec


Emotet, a notoriously stealthy malware, was first discovered in 2014. An early version of this banking trojan intercepted internet traffic to steal credentials.

Between 2016 and 2017, hackers reprogrammed Emotet to function as a loader, allowing its operators to download payloads or executable code onto infected hosts.

In 2020, Emotet’s attacks became global with its authors resorting to Trickbot and Qbot — Windows-based trojans — to infiltrate banking networks. A botnet of compromised machines was also set up to sustain the attacks. 

But that’s not all. Access to hijacked computers and devices was sold in an infrastructure-as-a-service offering, a practice more commonly known as malware-as-a-service in the cyber security industry.

According to the US Department of Homeland Security, “Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments.”

“Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.”

How does Emotet spread?

As of 2021, Emotet can bypass signature-based detection and propagate through five known installers: NetPass.exe, Outlook scraper, credential enumerator, Mail PassView, and WebBrowserPassView. 

Here’s a run-down of each spreader module. 

1. NetPass.exe: Captures network passwords stored on a system or external drives

2. Outlook scraper: Harvests email addresses and names from victims’ Outlook accounts to send phishing emails from compromised accounts

3. Credential enumerator: Combines bypass and service modules into one self-extracting RAR file. The bypass component identifies network resources by locating writable share drives through server message blocks (SMB) protocol or brute-forcing an administrator’s account. Upon finding the target system, the service component writes Emotet onto the disk.

4. Mail PassView: Forwards passwords and account details of email clients including Mozilla Thunderbird, Hotmail, Yahoo, and Gmail to the credential enumerator module

5. WebBrowserPassView: Gathers passwords stored in browsers, including Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera for use by the credential enumerator module

How stealthy is Emotet?

By and large, hackers inject Emotet through malspam — emails with malicious attachments or links — that mimic legitimate business communications and marketing campaigns.

For instance, a July 2018 Emotet malspam campaign of masqueraded PayPal receipts, shipping notifications, and outstanding multi-state information sharing and analysis center (MS-ISAC) invoices. After an unsuspecting user opens or clicks a malspam attachment, Emotet penetrates local networks through built-in spreader modules. 

Among Emotet’s defining traits are tenacity and endurance. Several applications share dynamic link libraries (DLL), allowing Emotet to adapt and renew its capabilities constantly. Additionally, Emotet generates random files that emulate Windows services in the system root directory. Execution of these services propagates malware throughout the network.

Attacks via Emotet can also result in permanent loss of confidential or proprietary information, service interruptions, high replacement costs, and negative publicity for an organization.

What are some ways to combat Emotet?

MS-ISAC and the national cyber security and communications integration center (NCCIC) recommend the following countermeasures against Emotet:

1. Revisit Group Policy settings

Windows’ Group Policy feature lets administrators configure and update operating systems, applications, and users’ settings from a centralized location. A group policy object (GPO) refers to settings configured using the group policy editor in the Microsoft Management Console (MMC). 

GPOs may also be used to create a Windows Firewall policy that restricts one of Emotet’s access points: inbound SMB traffic. The protocol allows shared access to files, printers, and serial ports across a network.

2. Enable automatic antivirus updates

Keep your antivirus programs up-to-date by ensuring auto-updates to the software. A good precaution is to block file attachments commonly associated with malware, such as .exe and .dll files, and that antivirus software cannot scan, such as .zip files.

3. Implement filters for emails

A malspam filter on the email gateway can help shield against spam messages with malicious content and block potentially rogue IP addresses. Organizations may also mark external emails with a banner or icon to indicate their origin.

Businesses can also deploy domain-based message authentication, reporting, and conformance (DMARC), a security system that uses domain name system (DNS) records and digital signatures to detect email spoofing.

4. Train employees

Employee education goes a long way toward preventing targeted Emotet attacks. Cyber security experts recommend companies instruct their employees not to open suspicious emails, post sensitive data online, or respond to unsolicited emails requesting personal information.

How do you respond to an Emotet attack?

Malware variations can complicate security, reducing its effectiveness over time. If your system or network has been compromised, NCCIC and MS-ISAC recommend the following measures.

Using an antivirus program, assess system vulnerabilities and isolate the infected workstation. Avoid logging into the infected system using domain or local administrator credentials. 

If multiple workstations are infected, the following steps are advised:

  1. Disconnect infected machines from the network
  2. Temporarily disable the network to prevent the malware from spreading 
  3. Reexamine existing systems for Emotet indicators and move those unaffected to a separate local area network
  4. Reset passwords for domain and local accounts, including any applications stored on the compromised machines

Post attack, Emotet resets Outlook’s default settings to auto-forward all emails to an external address, leaving your data vulnerable. It is, therefore, crucial to review log files and Outlook settings to determine the initial access point or malware source. 

Recent Emotet developments

A coordinated global action dubbed “Operation Lady Bird” brought down Emotet in January 2021. 

A total of eight countries contributed to the mission, including France, Lithuania, Netherlands, and the United States. With support from European Union Agency for Criminal Justice Cooperation (Eurojust) and European Union Agency for Law Enforcement Cooperation (Europol), global police forces in Germany and Ukraine shut down Emotet’s servers, which led to arrests. 

While the threat has been neutralized, it is advisable to take precautions to counter variants and replicas.

“A combination of both updated cybersecurity tools (antivirus and operating systems) and cybersecurity awareness is essential to avoid falling victim to sophisticated botnets like EMOTET,” explained Europol in a press release.

“Users should carefully check their email and avoid opening messages and especially attachments from unknown senders. If a message seems too good to be true, it likely is and emails that implore a sense of urgency should be avoided at all costs.”


Source link