{"id":14836,"date":"2019-03-14T08:10:03","date_gmt":"2019-03-14T16:10:03","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/03\/14\/news-8585\/"},"modified":"2019-03-14T08:10:03","modified_gmt":"2019-03-14T16:10:03","slug":"news-8585","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/03\/14\/news-8585\/","title":{"rendered":"Emotet revisited: pervasive threat still a danger to businesses"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Thu, 14 Mar 2019 15:00:00 +0000<\/strong><\/p>\n

One of the most common and pervasive threats for businesses today is Emotet<\/a>, a banking Trojan turned downloader that has been on our list of top 10 detections<\/a> for many months in a row. Emotet, which Malwarebytes detects as\u00a0Trojan.Emotet<\/a>, has been leveled at consumers and organizations across the globe, fooling users into infecting endpoints through phishing emails, and then spreading laterally through networks using stolen NSA exploits. Its modular, polymorphic form, and ability to drop multiple, changing payloads<\/a> have made Emotet a thorn in the side of cybersecurity researchers and IT teams alike.<\/p>\n

Emotet first appeared on the scene as a banking Trojan, but its effective combination of persistence and network propagation has turned it into a popular infection mechanism for other forms of malware, such as TrickBot<\/a>\u00a0and Ryuk<\/a> ransomware. It has also earned a reputation as one of the hardest-to-remediate infections once it has infiltrated an organization’s network.<\/p>\n

\"Emotet<\/a><\/p>\n

Emotet detections March 12, 2018 \u2013 February 23, 2019<\/p>\n<\/div>\n

In July 2018, the US Department of Homeland Security issued a Technical Alert<\/a> through CISA (Cyber-Infrastructure) about Emotet, warning that:<\/p>\n

\n

\u201cEmotet continues to be among the most costly and destructive malware affecting SLTT governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.\u201d<\/p>\n<\/blockquote>\n

From banking Trojan to botnet<\/h3>\n

Emotet started out in 2014 as an information-stealing banking Trojan that scoured sensitive financial information from infected systems (which is the reason why Malwarebytes detects some components as Spyware.Emotet<\/a>). However, over time Emotet and its business model evolved, switching from a singular threat leveled at specific targets to a botnet that distributes multiple malware payloads to industry verticals ranging from governments to schools.<\/p>\n

Emotet was designed to be modular, with each module having a designated task. One of its modules is a Trojan downloader that downloads and runs additional malware. At first, Emotet started delivering other banking Trojans on the side. However, its modular design made it easier for its authors\u2014a group called Mealybug\u2014to adapt the malware or swap functionality between variants. Later versions began dropping newer and more sophisticated payloads that held files for ransom, stole personally identifiable information (PII), spammed other users with phishing emails, and even cleaned out cryptocurrency wallets.\u00a0All of these sidekicks were happy and eager to make use of the stubborn nature of this threat.<\/p>\n

Infection mechanism<\/h3>\n

We have discussed some of the structure and flow of Emotet’s infection vectors in detail here<\/a> and here<\/a> by decoding an example. What most Emotet variants have in common is that the initial infection mechanism is\u00a0malspam<\/a>. At first, infections were initiated from Javascript files attached to emails; later, (and still true today) it was via infected Word documents that downloaded and executed the payload.<\/p>\n

A considerable portion of Emotet malspam is generated by the malware’s own spam module that sends out malicious emails to the contacts it finds on an infected system. This makes the emails appear as though they’re coming from a known sender. Recipients of email from a known contact are more likely to open the attachment and become the next victim\u2014a classic social engineering technique<\/a>.<\/p>\n

Besides spamming other endpoints, Emotet also propagates through the popular EternalBlue vulnerability<\/a>\u00a0stolen from the NSA and released by the\u00a0ShadowBrokers Group<\/a>. This functionality allows the infection to spread laterally across a network of unpatched systems, which makes it even more dangerous to businesses that have hundreds or thousands of endpoints linked together.<\/p>\n

Difficult to detect and remove<\/h3>\n

Emotet has several methods for maintaining persistence, including auto-start registry keys and services, and it uses modular Dynamic Link Libraries (DLLs) to continuously evolve. Because Emotet is polymorphic and modular, it can evade typical signature-based detection.<\/p>\n

In fact, not only is Emotet difficult to detect, but also to remediate.<\/p>\n

A major factor that frustrates remediation is the aforementioned lateral movement via EternalBlue. This particular exploit requires admins follow a strict policy of isolating infected endpoints from the network, patching, disabling Administrative Shares, and ultimately removing the Trojan before reconnecting to the network\u2014otherwise, face the certainty that cleaned endpoints will become re-infected over and over by infected peers.<\/p>\n

Add to that mix an ongoing development of new capabilities, including the ability to be VM-aware, avoid spam filters<\/a>, or uninstall security programs, and you’ll begin to understand why Emotet is every networks administrators\u2019 worst nightmare.<\/p>\n

Recommended remediation steps<\/h3>\n

An effective, though time-consuming method for disinfecting networked systems has been established. The recommended steps for remediation are as follows:<\/p>\n