Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments. Its highly infectious nature makes it difficult to combat and has cost SLTT governments up to $1 million per incident to remediate due to its worm-like features resulting in rapid, network-wide infections. Emotet is an advanced, modular banking trojan that primarily functions as a downloader or dropper of other banking trojans. Additionally, Emotet is polymorphic allowing it to evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. The trojan uses modular Dynamic Link Libraries (DLL) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine (VM) aware and can generate false indicators if run in a virtual environment. Emotet is disseminated through malspam (emails containing malicious attachments or links) that uses branding familiar to the recipient, including the MSISAC name. As of July 2018, the most recent campaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices purportedly from the MS-ISAC. Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro enabled Microsoft Word document included in the malspam. Once downloaded, Emotet establishes persistence and attempts to propagate the local networks through incorporated spreader modules.
Currently, there are five known spreader modules:
NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator.
- exe: a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives.
- Outlook scraper: a tool that scrapes names and email addresses from the victim’s Outlook accounts and uses that information to send out additional phishing emails from the compromised accounts.
- WebBrowserPassView: a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module.
- Mail PassView: a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module.
- Credential enumerator: a self-extracting RAR file containing two components, a bypass and a service component. The bypass component is used for enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet then writes the service component on the system, which writes Emotet onto the disk. Access to SMB can result in entire domains (servers and clients) becoming infected.
To maintain persistence, Emotet injects code into explorer.exe and other running processes. The Trojan can also collect sensitive information including system name, location, operating system version, and connects to a remote command and control server (C2) usually through a generated 16 letter domain name that ends in “.eu.” Once Emotet establishes a connection with the C2, it reports a new infection, receives configuration data, downloads and runs files, receives instructions, and uploads data to the C2 server. Emotet artifacts are typically found in arbitrary paths located off of the AppData\Local and AppData\Roaming directories and mimicking names of known executables. Persistence is typically maintained through scheduled tasks or via registry keys. Additionally, Emotet creates randomly-named files in the system root directories that are run as windows services. When executed, these services attempt to propagate the malware to adjacent systems via accessible administrative shares. It is essential that privileged accounts are not used to login to compromised systems during remediation as this may accelerate the spread of the malware.
RECOMMENDATIONS:
The Secnic Consultancy recommends organizations adhere to the following general best practices, to limit the effect of Emotet and similar malspam in your organization.
- Use Group Policy to set a Windows Firewall rule to restrict inbound SMB communication between client systems. If using an alternative host-based intrusion prevention system (HIPS), consider implementing custom modifications for the control of client-to-client SMB communication. At minimum create a Group Policy Object that restricts inbound SMB connections to clients originating from clients.
- Use antivirus programs on clients and servers, with automatic updates of signatures and software.
- Apply appropriate patches and updates immediately after appropriate testing.
- Implement filters at the email gateway to filter out emails with known malspam indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall.
- If you do not have a policy regarding suspicious emails, consider creating one and specifying that all suspicious emails should be reported to the security and/or IT departments.
- Mark external emails with a banner denoting it is from an external source. This will assist users in detecting spoofed emails.
- Provide social engineering and phishing training to employees. Urge them to not open suspicious emails, click links contained in such emails, post sensitive information online, and to never provide usernames, passwords and/or personal information to any unsolicited request. Teach users to hover over a link with their mouse to verify the destination prior to clicking on the link.
- Consider blocking file attachments that are commonly associated with malware, such as .dll and .exe, and attachments which cannot be scanned by antivirus software, such as .zip files.
- Adhere to the principal of least privilege, ensuring that users have the minimum level of access required to accomplish their duties. Limit administrative credentials to designated administrators.
- Implement Domain-Based Message Authentication, Reporting & Conformance (DMARC), a validation system that minimizes spam emails by detecting email spoofing using Domain Name System (DNS) records and digital signatures.
- Adhere to best practices, such as those described in the CIS Controls, which are part of the CIS SecureSuite.
If a user opened a malicious email or an infection is believed to exist, we recommend running an antivirus scan on the system and take action based on the results to isolate the infected computer. If multiple machines are infected:
- Identify the infection source (patient zero);
- Identify, shutdown, and take the infected machines off the network;
- Consider temporarily taking the network offline to perform identification, prevent reinfections, and stop the spread of the malware;
- Do not login to infected systems using domain or shared local admin accounts;
- Reimage the infected machine(s);
- After reviewing systems for Emotet indicators, move clean systems to a containment VLAN, segregated from the infected network;
- Issue password resets for both domain and local credentials;
- As Emotet scrapes additional credentials, consider password resets for other applications that may have had stored credentials on the compromised machine(s);
- Review log files and the Outlook mailbox rules associated with the user account to ensure further compromises have not occurred. It is possible that the Outlook account may now have rules to auto forward all emails to an external email address, which could result in a data breach.