What is Emotet?
Emotet is high-risk malware designed to record personal data and proliferate other viruses. Research shows that Emotet infiltrates systems without users’ consent. After successful infiltration, this malware modifies system settings and uses the infiltrated computer to proliferate itself further.
A main feature of Emotet is to gather various sensitive information, including logins/passwords and browsing activity. Collected data often includes banking information. Therefore, the presence of Emotet can lead to serious privacy issues and significant financial losses (cyber criminals might abuse received data to transfer money or make various purchases). Malware distribution is also an issue. Emotet works as a trojan – it opens “backdoors” for other high-risk viruses (e.g., Dridex) to infiltrate the system. These additional viruses might be more dangerous. Therefore, having Emotet installed on your system can lead to a chain of system infections.
Emotet is also capable of connecting the infected computer to a botnet, which is used to proliferate spam emails that distribute this malware. In addition, this malware hides within system folders and registers as a ‘system service’, thereby modifying Windows Registry settings so that it autoruns when the system is started. Emotet hide its tracks and, therefore, is virtually impossible for regular users to randomly detect. Nevertheless, if you suspect that Emotet is present, you should immediately scan the system with a legitimate anti-virus/anti-spyware suite. In fact, always have a reputable suite installed and running, and scan the system periodically.
There are dozens of trojans similar to Emotet. For example, Adwind, Pony, Trickbot, and many others. Their behavior might differ slightly (in terms of information tracking, crypto mining, botnet connections, and similar), however, all of these viruses are extremely harmful and pose a direct threat to your privacy and Internet browsing safety.
Kenoobi Consulting recommends that organizations adhere to the following general best practices to limit the effect of Emotet and similar malware:
- Use Group Policy Object to set a Windows Firewall rule to restrict inbound SMB communication between client systems. If using an alternative host-based intrusion prevention system (HIPS), consider implementing custom modifications for the control of client-to-client SMB communication. At a minimum, create a Group Policy Object that restricts inbound SMB connections to clients originating from clients.
- Use antivirus programs, with automatic updates of signatures and software, on clients and servers.
- Apply appropriate patches and updates immediately (after appropriate testing).
- Implement filters at the email gateway to filter out emails with known malspam indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall.
- If your organization does not have a policy regarding suspicious emails, consider creating one and specifying that all suspicious emails should be reported to the security or IT department.
- Mark external emails with a banner denoting it is from an external source. This will assist users in detecting spoofed emails.
- Provide employees training on social engineering and phishing. Urge employees not to open suspicious emails, click links contained in such emails, or post sensitive information online, and to never provide usernames, passwords, or personal information in answer to any unsolicited request. Educate users to hover over a link with their mouse to verify the destination prior to clicking on the link.
- Consider blocking file attachments that are commonly associated with malware, such as .dll and .exe, and attachments that cannot be scanned by antivirus software, such as .zip files.
- Adhere to the principal of least privilege, ensuring that users have the minimum level of access required to accomplish their duties. Limit administrative credentials to designated administrators.
- Implement Domain-Based Message Authentication, Reporting & Conformance (DMARC), a validation system that minimizes spam emails by detecting email spoofing using Domain Name System (DNS) records and digital signatures.
If a user or organization believes they may be infected, Kenoobi Consulting recommends running an antivirus scan on the system and taking action to isolate the infected workstation based on the results. If multiple workstations are infected, the following actions are recommended:
- Identify, shutdown, and take the infected machines off the network;
- Consider temporarily taking the network offline to perform identification, prevent reinfections, and stop the spread of the malware;
- Do not log in to infected systems using domain or shared local administrator accounts;
- Reimage the infected machine(s);
- After reviewing systems for Emotet indicators, move clean systems to a containment virtual local area network that is segregated from the infected network;
- Issue password resets for both domain and local credentials;
- Because Emotet scrapes additional credentials, consider password resets for other applications that may have had stored credentials on the compromised machine(s);
- Identify the infection source (patient zero); and
- Review the log files and the Outlook mailbox rules associated with the infected user account to ensure further compromises have not occurred. It is possible that the Outlook account may now have rules to auto-forward all emails to an external email address, which could result in a data breach.
How Kenoobi Consulting can help
Kenoobi Consulting blocks Emotet infections before they have a chance to start. Kenoobi’s unique protection provides customers with powerful defense in depth against Emotet:
- Machine-learning-powered file analysis blocks Emotet payloads regardless of whether they’re new samples or variations.
- Behavior-based analysis prevents malicious Office documents from retrieving the Emotet payload to begin with.