Technical Archives
Products and Services

The Emotet Threat Keeps Rolling On!

March 20, 2019

The Emotet Threat Keeps Rolling On!

Back in 2014, security researchers came across a new threatin the wild they dubbed Emotet.

Emotet started out its life as a banking trojan, that infectedtarget machines with a goal of silently stealing sensitive personal and financialinformation from its victims.

Almost five years on from this initial find, Emotet hasbecome one of the most active, costly and destructive malware families in the worldtoday.

Emotet is known as a ‘Trojan Virus’, and like the Trojan Horsein Greek history, it appears to be one thing on the surface while inside it’s somethingvery different. The trojans job is to first infect a target system by evading itssecurity defences, before unleashing the more malicious hidden payload it iscarrying inside.

One of the attractions for cyber criminals is itspolymorphic behaviour, that gives Emotet the ability to change itself every timea version of the malware is downloaded. This is one of its methods that is usedto evade detection by signature based Anti-Virus and Intrusion Preventionproducts.

Today, Emotet has evolved into far more than just a standardbanking trojan.

Emotet’s Evolution?

Due to its versatility it has become a favourite for cybercriminals in their efforts to improve the chance of successful infection of atarget. As described above, it no longer just seeks to deliver banking malware,its continued evolution sees the addition of newly developed modules thatallows it to remain an effective delivery platform for different types of malware.

Emotet primarily uses malspam campaigns to spread via email,typically containing a malicious email attachment, in the form a macro enabled MicrosoftOffice document. Following initial infection Emotet has the capability to stealpersonal information and online credentials, before launching its hiddenpayload.

Malicious payloads such as ransomware, Quakbot, TrickBot, Ursnif, Zeus Panda & IcedID are just a few that have been delivered using the Emotet family.

Once a target system has been infected, it uses moduleswithin the malware to spread throughout the network, via brute forcingtechniques and SMB exploits (such as DoublePulsar & EternalBlue), toconnect to and infect more servers and devices.

In addition to security evasion techniques, it can alsodetect when it is inside a malware analysis sandbox. And through its establishedCommand & Control infrastructure (C2), Emotet can receive instructions andsoftware updates, that can extend the capabilities of the malware or add furthermalicious payloads.

The below image shows how Emotet works (courtesy of US CERT website):

emotet_malware_figure_2

All this just helps the attackers stay ahead of the game andincreases the spread of the malware.

What can we do?

Although Emotet is a family of advanced malware, it’s not alldoom and gloom. There are things you can be doing to protect yourselves fromthe threat of infection.

Cisco Umbrella is the first line of defence against internet threats and is an effective first step in stopping an Emotet infection in its tracks.

With up to 500 newly generated malicious documents beinghosted on compromised websites every day, you need a solution that can dynamicallyprotect you.

Researchers at Cisco have developed a classifier to automaticallydetect and block these Malspam campaigns. By integrating this classifier intothe Cisco Security products such as Cisco Umbrella, we can actively protectagainst this threat.

As soon as Emotet is detected, Cisco Umbrella can blocktraffic at the IP or domain level, or alternatively send it to the IntelligentProxy for further inspection. You no longer need to wait for a connection to bemade or malware to be downloaded to detect the threat.

By using Cisco Umbrella, you can prevent your users, devicesand networks from ever establishing a connection to these bad domains or IPaddresses.

Investigate Console - baatzconsulting
Investigate Console - structure.thememove

At Ironshare we are actively using Cisco Umbrella to protectour customers from the threat of Emotet.

The images above show just a couple of examples of the compromised domains from Umbrella Investigate that have been blocked this year, preventing our customers from infection and almost certain compromise.

If you would like to find out more about how Cisco Umbrellacould protect your business or if you would like a free trial, please use thelink below to contact us.

Author

Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.

Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.

Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.

SUBSCRIBE

Ironshare is a provider of Information and Cyber Security services.

we went with; wizard pi