Protecting Your Network from Emotet Starts with Trained and Diligent Users
Like many other malwares, Emotet has begun to resurface after its initial reporting in 2014 as a type of banking malware. Emotet was created by threat actor Mealybug to target banking customers throughout Europe through infected messages to obtain customer information and gain access to customer accounts.
How Emotet Works
This trojan finds its way into machines through infected email attachments or email document links that appear to contain an invoice or other professional document normally received from the sender by the user.
- Unlike many other infected emails these do not contain large amounts of misspellings or even incorrect names, emails, or contact information.
- The links or attachments are usually a document or pdf that requests the user to enable macros.
- Macros are normally disabled by default within most of today’s document handling programs but when an infected file is opened by a user, a banner appears asking the user to enable content or editing which then enables macros.
- Once macros are enabled the malicious code is run and creates obfuscated code that allows for the execution of cmd.exe.
- Once it has control it runs PowerShell and downloads and executes a binary and creates a service which launches at every startup.
- Once the service is created the malware now establishes communication with a command and control server to inform the threat actors of the new victim machine.
Emotet is a Delivery System for Other Forms of Malware
These steps were part of the initial Emotet outbreak in 201, used by hackers to infect a com[any’s email. The new addition to this is once the command and control communication has been established the malware is being used as a delivery system for other forms of malware for other organizations.
The Goal of Emotet Remains Unknown
The main goal or motive behind the resurgence of the Emotet trojan has yet to be determined so we are left to speculate on its intent or endgame.
The information we do have tells us that the trojan is collecting a huge amount of email contacts which leads to bad press for those infected but no immediate monetary gain for the threat actors. Another important piece of the puzzle is the geographic locations of the most recent attacks, the majority of which have occurred with the United States. This could be a sign that the attackers could be working with a foreign government to either gain access to government systems by using the large amount of emails collected or use the botnet it has created in future attacks.
All together it seems in the end the Emotet trojan, if left on a network long enough, leads to the delivery of ransomware.
Corporate Email Security: Protecting Your Network from Emotet and Similar Threats
This attack, like many others, tries to take advantage of the weakest part of any network - the users.
The first step used to mitigate the threat must be training users who interact with the network. Because this infection requires user interaction to gain access to the device, simple security training can make a big difference, for example, teaching users to log themselves into a customer or provider billing system rather than opening attached documents or following links to documents from within an email.
Another step that can be taken to prevent an Emotet infection is the use of system policies to restrict all devices from executing any macros or executables not previously white listed by system administrators. This solution may not be best for all applications because some user groups may require the use of macros or executables daily.
To prevent the spread of Emotet malware on a network, monitoring traffic that moves both within and outside the network must be continuous. In many cases the Emotet trojans require command and control communications with outside or internal servers to either receive directions or ex-fill data from within the network to and outside storage location. Many times, these outside and internal communications can be caught by a properly monitored IDS (Intrusion Detection System). This identification allows for an accurate response to an infection using the information gathered in the communications.
Connect with a DataSure24 Cybersecurity Risk Expert
We offer a suite of Managed Security services, including vulnerability scanning and intrusion detection, as well as Disaster Avoidance/Recovery solutions for protecting data, maintaining availability and stakeholders connected. Further, we provide a variety of Security Training Awareness programs and services for making your employees a critical part of your company’s cybersecurity defense systems.