Emotet Malware Makes a Return

Discovered in 2014, Emotet was originally designed as a banking Trojan to steal financial data, but it's evolved to become the leading botnet used by cybercriminals worldwide to send spam emails and install payloads.

Emotet Malware Makes a Return

One of the longest-running and more lethal malware strains has once again returned to the scene after a coordinated international law enforcement operation dismantled its command-and-control infrastructure in late January 2021. According to a report from security researcher Luca Ebach, the infamous TrickBot malware is being used as an entry point to distribute what appears to be a new version of Emotet on systems previously infected by the former. This has allowed Emotet to start from a very firm position and not from scratch.

YouTube video

<span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start"></span>

What Is Emotet?

Discovered in 2014, Emotet was originally designed as a banking Trojan to steal financial data, but it’s evolved to become the leading botnet used by cybercriminals worldwide to send spam emails and install payloads. The infection may arrive via a malicious script, macro-enabled document files, or a malicious link.

Europol dubbed Emotet as the world’s most dangerous malware for its ability to act as a door opener for threat actors to obtain unauthorized access, becoming a precursor to many critical data theft and ransomware attacks. Basically, Emotet acts as the strike team hired to get malware like Trickbot through as many doors as possible, by exploiting vulnerabilities or by stealing keys.

It worms its way through a network, generally using phishing emails from compromised systems to spread quickly. Once it has infected enough computers, it will drop (install) other malicious programs like TrickBot, which has several modular, built-in tools to discover system information, compromise that system, and steal data.

Why Emotet is Difficult to Detect

Once it infects an endpoint, Emotet will aggressively try to access any connected networks by brute-forcing passwords, and with millions of corporate devices poorly protected by simplistic passwords, this capability assures lateral movement within many enterprises.

Emotet uses multiple methods for maintaining persistence and evasion techniques to avoid detection, using modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. It’s polymorphic, which makes it difficult for traditional antivirus solutions to detect and effectively reconstructs itself each time it deploys from device memory. It doesn’t have a recognizable signature and can recognize virtual machine environments and avoid sandboxes.

Emotet also uses C&C servers to receive updates. This works the same way as the operating system updates on your PC and can happen seamlessly without any outward signs. This allows the attackers to install updated software versions, install additional malware such as other banking Trojans, or act as a dumping ground for stolen information such as financial credentials, usernames and passwords, and email addresses. Emotet’s goal is to steal data and create persistent access routes into victims’ networks.

How to Protect Your Organization Against Emotet

Capable of silently infecting large numbers of connected devices from only a few initial access points and bypassing even the most advanced antivirus solutions, Emotet is an immense cybersecurity threat that organizations should take seriously. An Emotet infection on your network can result in critical data loss, interruption of daily operations, considerable mitigation costs, and reputation damage to your organization.

As persistent and evasive as Emotet is, you can take effective action to guard against it. Here are a few ways to do exactly that.

Cybersecurity Awareness Training: Defending against the resurgent threat Emotet poses starts with cybersecurity training for staff. Emotet typically spreads via phishing spam emails – it launches its service once a user clicks a link that opens a macro-enabled attachment. If you can stop an employee from opening that file or clicking that link in the first place, then Emotet will struggle to find a foothold on your network. Conducting regular training will help educate your employees on how to spot and avoid phishing and social engineering attacks.
Use Next-Generation Antivirus Solution for Your Enterprise: What makes Emotet malware so hard to eradicate is that it was designed to evade traditional file-based antivirus detection. For this reason, you will need to install more robust antivirus software that can keep up with and protect your organization against evolving threats.
Password Hygiene and 2FA: Good password hygiene within networks is vital, and insisting on 2FA for network access goes a long way in protecting you against Emotet.
Endpoint Detection and Response: Investing in next-generation Endpoint Protection and Response (EDR) tools to help uncover malicious activity in its infancy by monitoring endpoints such as servers and workstations for evidence of suspicious behavior.
Identify and Secure Unmanaged Devices: Eradicate potential blind spots like the internet of things (IoT) devices. Even if Emotet appears to be confined to an unsecured machine, the threat has not been neutralized because it’s polymorphic, constantly updating itself and working towards spreading further. Given enough time, it has a good chance of finding a weakness in your defenses that can be exploited.
Patch Management: Keeping your software, firmware, and security updated is one of the best ways to shore up vulnerabilities. For example, TrickBot is often delivered as a secondary Emotet payload, and TrickBot relies on the Windows EternalBlue vulnerability, so patch that vulnerability before the cybercriminals can take advantage of it. Scan your network, then patch any unsecured machines and ensure everything has the latest endpoint protection. This will protect you against a myriad of threats, not just Emotet.
Adopt a Zero Trust Model: Adopting a ZeroTrust model is important for any organization that wants to be protected against Emotet or any other botnet/ransomware threat. By assuming all connections can be compromised and segmenting your network, you can mitigate lateral movement, limit the affected systems and threat actions to a single perimeter, and increase the chance of detecting malicious behaviors inside your network.
Email Security: Disable macros from being used in Microsoft Office files and block email attachments containing file extensions most commonly associated with malware, namely .dll and .exe. Employ an email filtering system to improve your email security to keep out malspam. An email filtering system detects spam, identifies messages that contain malicious domains, URLs, and IPs, and removes malware attachments.
Privileged Access Management: An end-user running with more privileges than necessary makes it a fairly easy exercise for malware to infiltrate a system and propagate through a network. Removing all unnecessary privileges helps reduce attack surfaces and restricts the ability for lateral movement inside the network.

How We Can Help

The resurgence of Emotet is testimony to how cybercriminals continue to evolve tried-and-true malware while also developing new threats. It takes advanced cybersecurity solutions and a proactive approach to keep organizations evolving their defenses at the same pace.

If you need help strengthening your cybersecurity posture or suspect you’ve already been infected by Emotet, the experts at Alvarez Technology Group can help. Our cybersecurity experts will protect your endpoints, identify and patch your vulnerabilities and help remove Emotet and any other malware from your systems. Contact us today!