The Wrath of the Emotet Trojan Has Resurfaced! Are You Prepared?
One of the most significant malware threats facing the 21st century, the Emotet Trojan resurfaces, setting its sights on sensitive email content.
What is the Emote Trojan?
The Department of Homeland Security has recently reported that the Emotet Trojan, known as a banking trojan is active again. It is by far one of the most damaging pieces of malware with a heavy financial payload to infected computers.
The Emotet Banking Trojan is a type of malware that comes attached to an email as an email attachment or link. It has been making the rounds infecting computers since 2014.
The Emotet Trojan is a huge malware threat known to change its attack approach in every outbreak. Once this Trojan infects your network it is difficult and expensive to remove so focus on prevention advice given here.
Why was Emotet created?
Emotet began as a banking malware that attempted to sneak onto your computer and steal sensitive and private information. Different versions of the software saw the addition of spamming and malware delivery services—including other banking Trojans.
Today, new versions of the trojan carry a much more powerful threat to businesses and individuals.
Who is Mealybug?
This Cyber Crime group known as Mealybug distributes the Emotet Trojan. It seems that Mealybug has decided that it can best maximize its returns by taking a role as a distributor. Symantec detailed the evolution of Mealybug and found that it follows a trend of bad actors refining their mechanisms and business models to maximize their profits.
What this means for Mealybug, is they support many attack groups at the same time, if needed, and then take a cut from whatever is made. They are minting money from the many groups who want their malware.
At one time, the Emotet trojan was focused on European banks, specifically German and Austrian bank customers by stealing their login credentials. Now it has been spread everywhere — with the United States being one of its biggest target markets.
Over time Emotet has evolved and proven itself to be quite versatile and even more damaging. According to the latest trojan attacks, it now can get emails, financial data, browsing history, saved passwords, and Bitcoin wallets. Besides, the trojan malware can add an infected machine to a botnet to perform DDoS attacks or to send out spam emails.
How does it work?
This type of banking trojan is viewed as any other piece of malicious software. It is made to get access to victims’ banking activities, other financial activities along with confidential information. Emotet currently uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator.
Emotet emails may contain familiar branding making it appear as a legitimate email. Emotet may entice users to click the malicious files by using appealing language. Examples include: “Your Invoice,” “Payment Details,” or even an upcoming shipment from well-known parcel companies.
Once installed, the trojan will run several routines on the infected computer. For Instance, it will run executable files, remotely download and send files, access information from the clipboard, access browser history and cookies, and logging keystrokes.
It targets network systems specifically. Once one computer or another device is infected on a network, Emotet tries to infiltrate associated systems via brute-force attacks. Armed with a list of common passwords, the Trojan guesses its way from the victim’s device onto other connected machines.
How can you protect your systems and your employees?
Preventing infection is always a better option. Ensure that there are no unsecured devices being used on your network. Identify and secure unmanaged devices. Eliminate blind spots like IoT devices.
Train your people. If you can prevent an employee from opening the file or link that leads to infection, that’s half the battle.
Here are some of the best practices that organizations can use to protect themselves against Emotet and other threats that may come with it:
- Regularly patch and update (or use virtual patching). Emotet is a downloader malware capable of bringing other kinds of threats that could exploit system weaknesses. Updating and patching system, network, and server software can remove these weak points.
- Secure the email gateway. Spam email is Emotet’s main method of attack. Identify red flags in phishing emails can help as much as deploying security solutions. Remind everyone to ovoid opening unexpected attachments in emails even from known contacts.
- Enforce the principle of least privilege. Emotet abuses legitimate tools like Powershell as part of its attack chain. Disable, restrict or secure privileges to deter this threat from abusing it.
- Proactively monitor the organization’s online infrastructures. For organizations, a multilayered approach can help defend against Emotet. Firewalls, antivirus and intrusion protection all work together to detect and block suspicious traffic. Application control and monitoring can also assist in protecting systems and networks.
How to stop Emotet from spreading
One of the most key characteristics of Emotet is that it acts as a gateway for other Trojans and malware. Its common companion is TrickBot. Both Emotet and Trickbot have their methods of self-propagation and target different weaknesses.
If you suspect you have infected your system, disconnect it from the network or shut it down and call your computer support desk. Still, the most effective action you can take against Emotet and all its companions is to focus on patching.
This is a common piece of advice that you will hear from any cybersecurity professional. The reason for this is that many successful attacks are the result of known vulnerabilities that could have been taken care of beforehand. These known issues are, in essence, the doorways to disasters, and failure to fix them could lead to an implosion of Emotet malware across the company network.
Even if you’ve done everything right, there is still a chance you can suffer an Emotet attack. Prepare a response plan on how to deal with it, if it happens. Symantec has also recommended implementing 2FA to prevent cracked or stolen credentials from being used by attackers.
The Emotet Trojan and its companions combined are a very dangerous trojan virus. If you need more information on this or other threats, check out our website.