Emotet is a Trojan that is spread primarily through phishing emails. It can be executed from a malicious script, macro–enabled document files or a malicious link. Emotet steals personal data (such as logins/passwords, browsing activity and banking information) and acts as a door opener allowing other malware to enter the infected device. Malware such as Trickbot, QakBot, Dridex and Ryuk (a known ransomware) were found using Emotet as a dropper and resulted with the infected device having ransomware or confidential data stolen.
This malware uses phishing techniques to trick users into clicking on malicious files or link attached in emails. (Techniques such as pretending to be from a legitimate sender or claiming to be an urgent matter).
Once infected, this malware can trick antivirus programs as it usually hides from them, making the emotet malware polymorphic. That is, it acts like a worm and tries to infect and spread to other devices on the network.
How it works
The malware is primarily spread via phishing emails which aims to deceive users into clicking or downloading malicious code. After the code is executed, it then establishes persistence by creating registry auto start keys and injects code into running processes and collects data, it then attempts to spread on the network through integrated spreader modules.
How it is Distributed
This malware uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator.NetPass.exe is a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives.
Outlook scraper is a tool that scrapes names and email addresses from the victims Outlook accounts and uses that information to send out additional phishing emails from the compromised accounts.
WebBrowserPassView is a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module.
Mail PassView is a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module.
Credential enumerator is a self-extracting RAR file containing two components: a bypass component and a service component. The bypass component is used for the enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet writes the service component on the system, which writes Emotet onto the disk. Emotets access to SMB can result in the infection of entire domains (servers and clients).
Indicators of Compromise
Emotet hides within the system folders and registers as a system service and can modify windows registry settings so that it auto runs when the system starts, Emotet is usually found in an arbitrary path located from the AppDataLocal and AppDataRoaming directories. It mimics the names of known executables. It is maintained through Scheduled Tasks or via registry keys. Additionally, Emotet creates randomly named files in the system root directories that are run as Windows services. Compromised systems regularly contact Emotets Command and Control servers (C2) to retrieve updates and new payloads.
More indicators of compromise can be found via the following urls:
Cybersecurity & Infrastructure Security Agency (CISA) IOC
Keep software and endpoints updated (Antivirus and operating systems.). This can help protect your device from vulnerabilities by updating IOC signature”s.
Educate users by having cybersecurity awareness training sessions.This helps employees to be on the lookout for malicious emails.
Implement filters in emails and at the email gateway to filter out emails with known malware and spam indicators.
Consider implementing Group policy and least privilege practices in your network, this can help to mitigate breaches.
Consider implementing multi-factor authentication. This adds another layer of protection in securing credentials.
Apply segments and segregate networks and functions. Segmentation can help to mitigate breaches by separating the infected area without affecting the entire network.
If you believe that you would have been affected by the emotet malware: Please follow the below steps
Immediately disconnect the infected device from the network once the device is isolated it can then be patched and cleaned.
Check the system for any indicators of compromise. Delete all found.
Use an updated antivirus to scan and clean the infected system.
Change all related system passwords.
The Guyana National CIRT recommends that users and administrators review these recommendations and implement where necessary.
PDF Download: Emotet Malware.pdf
Emotet Malware (January 23rd, 2020) Retrieved from Cybersecurity & Infrastructure Security Agency (CISA)
MS-ISAC Security Primer- Emotet Retrieved from Center for Internet Security
Lets talk Emotet malware. Retrieved from Malwarebytes.
Trojan.Emotet Retrieved from Malwarebytes Labs.
Its baaaack: Public cyber enemy Emotet has returned. (October 30th, 2020 Retrieved from Malwarebytes Labs
Worlds Most Dangerous Malware Emotet Disrupted Through Global Action (January 27th, 2021) Retrieved from Europol Newsroom
Emotet: How to best protect yourself from the Trojan. Retrieved from Kaspersky.
Emotet IOC Feed. Retrieved from PrecisionSec
T.Meskauskas.(Jaunuary 25th 2021)Emotet virus removal guide Retrieved from Pcrisk
Newly Released Emocheck Tool Can Detect Systems Infected with Emotet Trojan (February 04th 2020) Retrieved from Cyware
EmoCheck Tool Retrieved from JPCERT Coordination Center GitHub Repositories
K.Sajo (February 25th, 2021)Emotet Disruption and Outreach to Affected Users Retrieved from JPCERT Coordination