T2021_06 Emotet Malware (19th March 2021)

Emotet is a Trojan that is spread primarily through phishing emails. It can be executed from a malicious script, macro-enabled document files or a malicious link. Emotet  steals personal data (such as logins/passwords, browsing activity and banking information) and acts as a door opener allowing other malware to enter the infected device. Malware such as Trickbot, QakBot, Dridex and Ryuk (a known ransomware) were found using Emotet as a dropper and resulted with the infected device having ransomware or confidential data stolen.  

This malware uses phishing techniques to trick users into clicking on malicious files or link attached in emails. (Techniques such as pretending to be from a legitimate sender or claiming to be an urgent matter). 

Once infected, this malware can trick antivirus programs as it usually hides from them, making the emotet malware polymorphic. That is, it  acts like a worm and tries to infect and spread to other devices on the network.  

 How it works 

The malware is primarily spread via phishing emails which aims to deceive users into clicking or downloading malicious code. After the code is executed, it then establishes persistence by creating registry auto start keys and injects code into running processes and collects data, it then attempts to spread on the network through integrated spreader modules. 

How it is Distributed 

This malware uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator.NetPass.exe is a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives. 

  • Outlook scraper is a tool that scrapes names and email addresses from the victim’s Outlook accounts and uses that information to send out additional phishing emails from the compromised accounts. 

  • WebBrowserPassView is a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module. 

  • Mail PassView is a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module. 

  • Credential enumerator is a self-extracting RAR file containing two components: a bypass component and a service component. The bypass component is used for the enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet writes the service component on the system, which writes Emotet onto the disk. Emotet’s access to SMB can result in the infection of entire domains (servers and clients). 

Indicators of Compromise  

Emotet hides within the system folders and registers as a system service and can modify windows registry settings so that it auto runs when the system starts, Emotet is usually found in an arbitrary path located from the AppData\Local and AppData\Roaming directories. It mimics the names of known executables. It is maintained through Scheduled Tasks or via registry keys. Additionally, Emotet creates randomly named files in the system root directories that are run as Windows services. Compromised systems regularly contact Emotet’s Command and Control servers (C2) to retrieve updates and new payloads. 

More indicators of compromise can be found via the following urls: 

  1. AlienVault IOC  

         https://otx.alienvault.com/pulse/5bb4f4156e489a1abbbd1d28/ 

  1. Malwarebytes IOC 

         https://blog.malwarebytes.com/detections/trojan-emotet/ 

  1.  PrecisionSec’s IOC 

          https://precisionsec.com/threat-intelligence-feeds/emotet/ 

  1. Cybersecurity & Infrastructure Security Agency (CISA) IOC 

          https://us-cert.cisa.gov/ncas/alerts/aa20-280a

Mitigation Measures 

  •   Keep software and endpoints updated (Antivirus and operating systems.). This can help protect your device from vulnerabilities by updating IOC signature's 

  •  Educate users by having cybersecurity awareness training sessions.This helps employees to be on the lookout for malicious emails.  

  • Implement filters in emails and at the email gateway to filter out emails with known malware and spam indicators. 

  • Consider implementing Group policy and least privilege practices in your network, this can help to mitigate breaches.  

  • Consider implementing multi-factor authentication. This adds another layer of protection in securing credentials.   

  • Apply segments and segregate networks and functions. Segmentation can help to mitigate breaches by separating the infected area without affecting the entire network. 

If you believe that you would have been affected by the emotet malware: Please follow the below steps 

  1. Immediately disconnect the infected device from the network once the device is isolated it can then be patched and cleaned.  

  1. Check the system for any indicators of compromise. Delete all found. 

  1. Use an updated antivirus to scan and clean the infected system. 

  1. Change all related system passwords. 

The Guyana National CIRT recommends that users and administrators review these recommendations and implement where necessary.

PDF Download: Emotet Malware.pdf

References 

  1. Emotet Malware (January 23rd, 2020) Retrieved from Cybersecurity & Infrastructure Security Agency (CISA) 

          https://us-cert.cisa.gov/ncas/alerts/TA18-201A 

          https://us-cert.cisa.gov/ncas/alerts/aa20-280a 

  1. MS-ISAC Security Primer- Emotet Retrieved from Center for Internet Security 

          https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/ 

  1. Let’s talk Emotet malware. Retrieved from Malwarebytes. 

          https://www.malwarebytes.com/emotet/ 

  1. Trojan.Emotet Retrieved from Malwarebytes Labs. 

          https://blog.malwarebytes.com/detections/trojan-emotet/ 

  1. It’s baaaack: Public cyber enemy Emotet has returned. (October 30th, 2020 Retrieved from Malwarebytes Labs 

          https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/ 

  1. World’s Most Dangerous Malware Emotet Disrupted Through Global Action (January 27th, 2021) Retrieved from Europol Newsroom 

         https://www.europol.europa.eu/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action 

  1. Emotet: How to best protect yourself from the Trojan. Retrieved from Kaspersky. 

         https://www.kaspersky.com/resource-center/threats/emotet 

  1. Emotet IOC Feed. Retrieved from PrecisionSec 

          https://precisionsec.com/threat-intelligence-feeds/emotet/ 

  1. T.Meskauskas.(Jaunuary 25th 2021)Emotet virus removal guide Retrieved from Pcrisk 

          https://www.pcrisk.com/removal-guides/12862-emotet-virus 

  1. Newly Released Emocheck Tool Can Detect Systems Infected with Emotet Trojan (February 04th 2020) Retrieved from Cyware 

          https://cyware.com/news/newly-released-emocheck-tool-can-detect-systems-infected-with-emotet-trojan-73b62738 

  1. EmoCheck Tool Retrieved from JPCERT Coordination Center GitHub Repositories 

          https://github.com/JPCERTCC/EmoCheck 

  1. K.Sajo (February 25th, 2021)Emotet Disruption and Outreach to Affected Users Retrieved from JPCERT Coordination 

          https://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html