The news last month that Emotet had been disrupted would have been welcomed by those who have fallen victim to the malware. Having first surfaced in 2014 as a banking Trojan and now a botnet of infected systems, Emotet is estimated to have caused more than $2 billion in losses globally according to Ukrainian law enforcement.

We observed a noticeable increase in Emotet activity in the past few months on our client networks, as it manifested itself in spam email campaigns against public and private sector organisations and critical infrastructure.

We analysed 525 emails across 14 organisations that had received suspicious emails in December 2020 and January 2021. Although the majority of these emails were detected and quarantined by the respective mail gateways, they raised immediate concern because of their apparent targeted nature. It was Emotet.

This article looks at some of the indicators of compromise and ways to prevent or mitigate the impact of such malware, at a high level.

Indicators of compromise – what to look for

Emotet is highly automated and will target anyone. The majority of emails we reviewed had the same format, the attacker would change the display name to a known contact of the recipient organisation. This increases the success rate as recipients commonly rely on the display name, rather than checking the actual email address. We found that all emails were being sent from a variety of registered addresses on valid, compromised domains and via known spam forwarders.

A common trace or fingerprint throughout was a pasted header at the top of each email body, where the attacker would paste in the name and email address of the victim’s account:

BEGIN SAMPLE //

<br>

<br>

Spoofed Name

[email protected]

<br>

<br>

// END SAMPLE

94% of the emails hijacked legitimate conversations and threads, whereby users included in the original email exchanges were then targeted – either by having their name and address spoofed or being sent phishing emails directly. The spam was not limited to emails written in English either, we observed other languages being utilised where the malware targeted organisations across Europe.

All of the emails contained the same payload in the form of malicious attachments. These were either a Microsoft Office .doc file, or a compressed .doc file in a password encrypted zip. The passwords were provided in the email body.

6point6 ran dynamic malware analysis against the files which confirmed ties to Emotet. All files contained macros that attempted to make network connections to known Emotet botnet infrastructure, within Epoch 2.

The behaviour of Emotet has been well documented, but this writeup from Unit 42 does an excellent job at examining the infection network traffic.

Prevention

There are a number of measures your organisation can take in preventing Emotet and similar malware variants from infiltrating your networks. We recommend the following at a minimum, most of which are covered by Cyber Essentials Plus:

• Educate staff on the risks of phishing attacks and malicious links/attachments, in particular.  Bad actors will always get through, educating users offers the best return on investment in security.
• Utilise mail and web filters to block files commonly associated with malware and those that cannot be analysed by antivirus software (e.g. .exe and .zip files) and block suspicious IP addresses at the firewall. Gmail, which is free, flagged the vast majority as spam, how does your commercial mail filtering perform against Gmail?
• Deploy antivirus solutions on all end user devices and hosts within your environment. Any deployment of antivirus should consider the on-going requirement to maintain virus signature files and related updates.
• Adhere to the principle of least privilege, only give users the rights they need. Do they need admin rights to install programs, probably not.

Mitigations

If any of your systems have been affected you will need to take the following steps to mitigate the risk:

• Isolate those systems confirmed to be infected, from the network.
• Prevent any communications with a C2 server, use a managed DNS provider to identify and block calls to malicious domains.
• Lastly review current antivirus deployment and mail/web filtering solutions. You need to find out how they got in, close the gap and move forward.

Are you worried about your security posture? Let’s start the conversation to protect your business. 

Written by Carl Jordan, Senior Consultant