By Edward Serafin III, C|EH, Security Architect
Emotet: What is it?
Emotet is a type of malware that originated in 2014. It was initially a banking trojan that stole information from people, such as credit card details. It was delivered via social engineering techniques like malicious spam. As years went by, it became more dangerous and destructive. It has now evolved into what the U.S. Department of Homeland Security calls “…the most costly and destructive malware affecting state, local, tribal, and territorial governments, and the private and public sectors”
Emotet was inactive for some time until earlier this year. It has transformed into modular malware, making it stealthy and more dangerous. One of its stealth-like mechanisms is its polymorphic abilities. The code changes at least three times a day. Additionally, Emotet can detect when it is in a virtual machine and sandbox environment, allowing it to remain dormant and undetectable. To make matters worse, it has transformed into a worm, allowing it to spread and infect many devices instead of just one.
It was recently discovered that Emotet now has a WiFi spreader. This is a completely new attack vector that poses a danger to companies near an infected one. If someone near you is infected with Emotet, and your WFi password is not strong, then there is a likely chance you too will be infected by this malware.
How does it work?
The main attack vector remains the same through malicious spam. The infection can arrive through a malicious script, macro-enabled document files, or malicious link. Emotet emails are disguised to look like a real email. Once the infection is on the computer, it will send itself to the entire contact list found on the device. This makes the email look more legitimate, as it is coming from a real source.
Once the document is opened, a batch script is invoked, followed by a PowerShell. A number of URLS for hijacked websites are then cycled to download the Emotet payload. The payload executes and then persists itself. It then begins spreading by brute-forcing its way onto other systems on the network.
The new attack vector recently discovered works like this:
1. Emotet infects a host
2. WiFi Spreader module is downloaded and then run
3. Nearby devices with reachable WiFi networks are discovered
4. A brute-force attack is conducted on each network
5. Once in, another brute-force attack is conducted to discover the usernames and passwords of servers and computers connected to the WiFi network
6. The Emotet infection cycle repeats
How can I defend against EMOTET?
Awareness – Awareness is a key component in preventing Emotet from spreading. Informing the employees of your company to avoid spam emails and to not click on any downloads is important. If you do not know the sender, avoid the email. If you did not expect a message with an attachment, do not open it. A security awareness training program is recommended to ensure employees know how to detect malicious emails.
Incident Response – Having a robust incident response plan in case of a device infected by Emotet is important. Below are 9 steps the plan should incorporate:
2. Analysis/Classification – Analyze what was compromised and classify accordingly
3. Containment – Restrict access to the affected system(s). Change passwords if necessary.
4. Pre-recovery – Backup affected systems
5. Communication – Tell the people who need to know
6. Containment(long-term) – If system(s) must return to production immediately; scan for malware, install security patches, remove any identified invalid accounts/ackdoors, and validate with a vulnerability scanner
7. Eradication – Rebuild the system(s) from backups and make sure all malware is gone.
8. Recovery – Restore the affected system(s) to their original state and put them back into production
9. Lessons Learned – Document what was discovered about the incident
A good Security Operations Center (SOC) is needed to implement such an incident response plan. If your company does not have one, a SOC-as-a-service is a good option to look into as it will keep your business safe and secure.
Artificial Intelligence – Traditional security tools are no match for Emotet, but artificial intelligence and machine learning solve this problem. Some cybersecurity software uses unsupervised machine learning algorithms to detect cyber-threats that have already infiltrated the network. It learns the individual pattern of life of every user device, and network that it protects. It can determine what is considered normal and anomalous behavior. It is able to detect malicious email spamming and brute-force attacks with ease.
Having an intrusion prevention system that utilizes machine learning and artificial intelligence is perhaps the best security measure, besides awareness, in combating Emotet.
Secure WiFi – With this new attack vector, companies should complexify their WiFi passwords.
Create backups – This is a simple and effective way to decrease the damages that Emotet can cause. If your company is not conducting regular backups, investing in a backup solutions business is ideal. This ensures data is secure, always available, and accurate.
Patch and Secure Machines – Making sure machines are secured and up to date is important in preventing Emotet from infecting the device. An out-of-date machine has more vulnerabilities which increases risk of infection.
Network Segmentation – This is an uncommon practice, but with the recent blow-up in devastating malware, it is now becoming more used. Splitting a network into subnetworks exponentially increases network security and performance. If one network is infected, only those devices on the network will remain infected. All devices on the other network will remain safe, secure, and be able to continue their daily tasks.
What Do I Do If My Organization is Infected?
Even with all these ways to defend against Emotet, it is still possible for it to get through. That is the unfortunate nature of cyber security. Nothing is 100% protected. All it takes is one click from an employee for Emotet to be downloaded and infect the computer. One click to potentially cost your company millions.
If a device is infected, it is important to assess how much damage has been done. With this type of malware, you should assume that if one device is infected, so are others. The following are some steps to follow if possible:
- Shut down the entire network
- Remove the malware.
- Secure the device
- Restore the network
Emotet is a deadly, polymorphic virus that is becoming deadlier by the month. The more people know about it, the easier it will be to prevent it. Nothing is ever completely secure, but the best we as humans can do is try to minimize loss by making things as secure as possible. The cyber-security field changes on a daily basis, with new malware being introduced all the time. With the emerging AI technology, the future is looking bright for cyber-security. Emotet may be running rampant now, but as long as you follow the ways to defend against it, you and your company will be safe.
Concerned about your vulnerabilities and want to learn more about how to safeguard your organization? Contact us.
** The advice shared in this blog is for informational purposes only and to provide guidance. This does not guarantee an organization is risk-free from cyber threats nor is it meant to provide a detailed plan for an organization’s cybersecurity policies. It is not meant to assure or provide guidance with any laws or regulations in the United States or any other regulatory body worldwide. For further assistance, we recommend contacting your cybersecurity solution provider to discuss specific details. **