By Dan Piazza, Technical Product Manager, Stealthbits Technologies, Inc.
The Emotet malware, originally detected as a banking trojan in 2014, has become one of those most prevalent malware threats in 2020, and the economic fallout from an Emotet attack can range into millions of dollars (USD). Over the years Emotet has evolved well beyond a banking trojan and is typically delivered via phishing emails that turn infected hosts into bots and malware spreaders. Emotet is also no longer content simply executing its own malicious code – once a victim is infected Emotet can download additional malware into the network, such as Ryuk or Trickbot.
However, the biggest threat Emotet brings is still the spread of ransomware throughout an organization – encrypting everything in its path and often exfiltrating sensitive data so the attacker can threaten the victim with a public leak of that information if the ransom isn’t paid.
Emotet is also quite hard to detect and eliminate. Emotet is polymorphic – meaning it constantly changes itself to maintain persistence and avoid signature-based detection by endpoint protection. It’s also modular, meaning components can easily be swapped in and out depending on what an attacker wants to achieve. Some variants act as ransomware, others target cryptocurrency wallets, and some may propagate botnets. Emotet is even aware of when it’s running inside a VM and will lay dormant to avoid detection in sandboxed environments – which security researchers use to observe and decompile malware in a safe space.
Coupled with a wide variety of attack techniques, one could say Emotet’s complexity and effectiveness make it “enterprise-grade” malware. Additional techniques used by Emotet include password grabbers, software packing, obfuscated files, network sniffing, process discovery, remote service exploits, command and control (C2) using non-standard ports, data exfiltration via C2 channels, and more. With its current feature set and ability to quickly evolve, the danger Emotet poses is clear.
Taking advantage of another recent malware trend, Emotet has also become a malware-as-a-service that’s sold to various threat actors on the dark web that otherwise may not have had the capability of developing such complex malware themselves. This opens the door to less-skilled attackers utilizing the power of Emotet, resulting in an even wider spread of the already prevalent malware. Add this to the malware “dropper” capabilities of Emotet, and it’s single-handedly keeping older malware variants alive, spreading, and prospering.
User Education – More Important Than Ever
Given that most Emotet infections start as phishing emails, this surge in matured Emotet attacks is a perfect example of why organizations need to continuously educate users on how to detect and avoid modern phishing emails. Although spam filters and other methods of blocking malicious messages should be in place for all organizations, it only takes one email to get through and successfully trick a user for Emotet to start moving laterally throughout a network and eventually into domain admin rights. Emotet will also hijack legitimate, existing email threads once a host has been infected, so users need to be wary of every email they receive and not just new threads from fake or spoofed addresses.
Unfortunately, it’s inevitable that a user will eventually slip up, succumb to a phishing attack, and become infected. That’s when Emotet starts to move laterally through a network until it gains domain admin rights, which brings up two valuable points: limit special share access and keep all systems patched and up to date. Emotet, and the malware variants it delivers, often prefer to target admin$, c$, and ipc$ shares to enumerate and move through a network. By limiting access to these shares to the absolute minimum, it’s possible to slow Emotet down and block its go-to infection routes. This should be coupled with ensuring all systems are running the latest updates provided by software and OS vendors, so vulnerable exploits can be patched and eliminated as they’re discovered.
Limiting the Scope of Attacks
Cybersecurity software, such as privileged access management, can also limit the scope of what privileged sessions (that Emotet targets) can do by not only limiting access to resources but also by limiting which specific actions can be taken during these sessions. The goal of this workflow is to reduce the standing privilege in a network to zero, which drastically reduces the attack surface for Emotet and buys time for the security team to remove the threat once detected.
Emotet continues to be a major threat and source of stress for IT and security professionals everywhere, however, with proper preventative measures, it’s possible to halt it dead in its tracks.
About the Author
Dan Piazza is a Technical Product Manager at Stealthbits Technologies, responsible for File Systems and Sensitive Data in their Data Access Governance solution, StealthAUDIT. He’s worked in technical roles since 2013, with a passion for cybersecurity, data protection, storage, and automation. Stealthbits is a cybersecurity software company focused on protecting sensitive data and the credentials attackers use to steal that data.
Dan can be reached online at linkedin.com/in/danieljpiazza and at our company website https://www.stealthbits.com/