Emotet is a very advanced, modular type of banking Trojan. It serves as a dropper (or silent downloader) of other banking Trojans. This polymorphic banking Trojan cannot be detected by standard signature-based scanners and is Virtual Machine-aware. That’s why an Emotet Trojan is so dangerous. It generates false indicators if it manages to run in a virtual environment.
Emotet – Leading a Path of Destruction
The Trojan can be disseminated via malspam. These are emails that contain malicious attachments or links. It uses a type of branding that the recipient is familiar with. Cyber security teams around the globe have also discovered that the Trojan managed to spread through the MS-ISAC name. So far, Emotet has imitated due invoices, shipping notifications, and PayPal receipts. An individual is infected once he or she downloads and opens the macro-enabled Microsoft Word document, PDF, or link.
When a malicious file is opened, the Trojan establishes persistence and propagate the local networks via incorporated spreader modules. Today, the Trojan continues to be one of the most destructive and costly malware that affect SLTT government agencies. It has worm-like features that rapidly spread network-wide infection. Such infections have caused damages that needed millions of dollars to fixed.
A Further Look into Emotet’s Spreader Modules
The five known spreader modules that Emotet uses include a credential enumerator, Outlook scraper, Mail PassView, WebBrowserPassView, and NetPass.exe. Credential enumerators are a self-extracting RAR file. The Trojan exploits the service and bypass components. Emotet uses the bypass component for the enumeration of network resources. It finds writable share drives that use Server Message Block. In some cases, they are known to brute force user accounts. Once Emotet has the information it needs, it writes the service component on the system.
You should keep in mind that NetPass.exe is actually a legitimate utility. It was developed by NirSoft and was designed to recover network passwords that are stored on a system for the user that’s currently logged on. Its other functions include recovering passwords stored in the credentials file of external drives. It is basically a free buffet for Emotet.
How Does Emotet Infect Computers?
Emotet infects computers by maintaining persistence. They can inject malicious code into your browsers and other critical running processes. Emotet also has the ability to connect to a remote command and control server (C2) and wreak havoc from there.
So far, experts have found Emotet artifacts in arbitrary paths that are located off the AppData\Roaming and AppData\Local directories. Additionally, these artifacts mimic the names of executables. Persistence of the malware is maintained via registry keys or through Scheduled Tasks. Through accessible administrative shares, the malware can be propagated to adjacent systems.
If Attacked, How Should I React?
You need to identify, shutdown, and remove the infected machines off the network without delay. To do this, you can consider taking the network offline temporarily. When it comes to reviewing systems for signs of an Emotet Trojan attack, you should always move clean systems to a containment virtual local area network. Don’t forget to reimage the infected machines.
How Can Organizations Continue Protecting Themselves?
It is imperative that organizations apply appropriate patches regularly, utilize antivirus programs, implement filters at the email gateway, and train employees well (particularly on phishing and social engineering).
Of course, there are more steps to take to enhance cyber security. At ANEXIO, we can manage your networks and proactively monitor them to ensure that they do not become a victim of the Emotet Trojan.