Emotet Trojan was originally created in 2014 to be used as a worm targeting banking institutions. However, five years later, it has been upgraded to become an advanced malware code, which is used to drop or download other Trojans on a system. The Department of Homeland Security describes the Emotet Trojan as among the most destructive and costly malware to impact SLTT (state, local, tribal, and territorial) governments, as well as organizations in the private sector. Due to its worm-like attributes, Emotet can rapidly spread in an entire network, and can cost an infected entity up to $1 million in mitigation and response activities.
Email communication is the main attack vector of the Emotet Trojan. Email messages are used to deliver infected PDF attachments, Word documents, or a malicious link that downloads a file that contains a hidden malware. Also, the cyber actors usually host the documents in legitimate OneDrive or SharePoint sites to increase success rates by convincing targeted users of the files’ authenticity.
Emotet Trojan persistence
The uses the Windows Registry to persist in a system. It can also use the scheduled tasks as researchers have identified the Trojan to into an “explorer.exe” process. This causes a system to view the malware as a normal system process. Additionally, Emotet artifacts can be located in paths such as AppData\Roaming and AppData\Local directories. The artefacts are used in mining the names of available executables. The Trojan uses the registry keys or scheduled tasks to maintain persistence when a system is being rebooted or when there is an attempt to clean it.
Also, traditional antivirus solutions are unable to identify infected documents since opening the files triggers the download of the malware from a hosted domain. The domains are hosted in the open/public networks. Most of the times, attackers using the malware register the IP addresses and domains afresh to avoid detection and blacklisting. They also shift the websites frequently. The Emotet Trojan also persists by executing recurring attacks. According to Kroll researchers, Emotet infections can reoccur in a system after an organization had detected and cleaned up the infection six months ago. The cyber adversaries malspam the system users, their contacts, and business clients using legitimate email threads that were stolen in previous attacks.
Data targeted by the Emotet Trojan
Emotet malware is capable of targeting and stealing the following types of data:
- Contents of email messages that are stored locally
- The credentials which a user enters on different websites such as banking and eCommerce
- Windows logon (active directory) password and username credentials
It is important for organizations to focus their preemptive efforts on email communications. This is because cyber actors have often been successful in spoofing infected victims to spread the Emotet malware. The hackers combine recent conversations and valid email addresses to increase the success rate of a phishing attempt. Once a new user is infected, the actors spoof the email communication to target even more victims.
Emotet Trojan functionalities
At its inception, Emotet was primarily designed to propagate in banking networks as a worm to steal information. It has, however, been restructured to be capable of additional functionalities. The following are some of the functions associated with a the Emotet Trojan:
- Collect sensitive system and user information. The information includes the name of the system and the installed operating system. Once collected, the Trojan connects to a command to control server.
- After establishing a successful connection with the server, Emotet reports a new infection as successful. It downloads additional payloads and runs them, receives instructions and configuration data, and exfiltrates the stolen data to the server.
- Also, the Trojan creates files in the system root directories with random names which run as a Windows service. Once they execute, the services try to propagate the malware to other systems by using stolen credentials and accessible admin shares. SMB (Server Message Block), as well as by exploiting system vulnerabilities that rely on an organization’s level of patching.
- Saturates a victim’s network to provide attackers with the ability to have unauthorized access to information, leading to more data theft.
Best security practices for protecting against Emotet
- Adopt adequate access control schemes. Such include least privilege access control. This measure provides system users with access permissions needed to perform their tasks
- Create and maintain a suspicious email policy. The policy is for requiring employees to report all the suspicious emails they receive to the IT department for investigation
- Deploy antivirus solutions on servers and clients, and continuously update them to ensure they contain the latest security defenses for detecting and preventing Emotet Trojans
- Use a security system to block file systems commonly used to deliver malware. Such include .exe, .dll, and .zip files. This ensures files that can’t be scanned by antimalware tools do not enter an organization’s servers through emails
- Ensure employees are properly trained on how to identify phishing and other social engineering schemes. This can be accomplished by creating awareness campaigns on handling various social engineering attacks. They include not clicking on suspicious links or attachments, not posting sensitive information in online platforms, and declining to provide passwords or usernames in response to phishing emails
- Implement DMARC (Domain-Based Authentication, Reporting and Conformance) system. Itis used to validate and reduce spam messages by using DNS (Domain Name System) digital signatures and records to detect spoofed emails
However, the measures may not prevent an Emotet virus from infecting a system. Fora single system, an antivirus scan can identify the infected workstation which should be isolated to prevent the infection from spreading. The following steps are for addressing an infection on multiple systems.
- Identify the infected machine and disconnect it from the network
- Pull the network offline to identify and prevent reinfections
- Avoid login in into n infected system using domain or shared admin accounts
- Identify systems with Emotet indicators and contain clean ones in a segregated network
- Password reset local and domain credentials, and any credentials of an infected system
- Identify infection source and apply appropriate remediations