Emotet: Crimeware you need to be aware of
According to the U.S. Department of Homeland Security, Emotet continues to be among the most costly and destructive malware threats affecting state, local, and territorial governments and its impact is felt across both the private and public sectors.
First identified as a banking Trojan in 2014 by Trend Micro, Emotet is often downplayed by network defenders as “commodity malware” or “crimeware”. The evolution of both the malware and the criminal network behind it continue to make it an elusive and impactful threat, continually evading antivirus and other security technologies to infect victims.
Simply put, Emotet is not a run-of-the-mill crimeware and therefore should not be underestimated. Emotet is defined by the constant investment that its operators put into continually developing technologies to defeat defensive measures.
In the past weeks we’ve seen massive changes from the malware packer to internal crypto, to new network command and control designs roll out. In addition to growing technical sophistication, Emotet plays a large and growing role in the criminal ecosystem. The better organizations can understand the evolution and role that Emotet plays, the better equipped they’ll be to protect themselves from becoming the next victim (or the better they’ll be prepared to respond if they have already fallen prey).
The criminal ecosystem
In the current criminal ecosystem, the best way to think about Emotet is as a primary provider of access to victims for multiple other large criminal actors and organizations. As such, an Emotet infection can’t be treated as a single event or incident, because Emotet is often the tip of the spear where access is provided or re-sold to other criminal groups, to conduct data theft and/or ransomware attacks against victims.
In the last month, the cybercriminals behind the Emotet infection have changed the ways they launch these types of attacks and how they evade detection. One technique is by simply swapping a .doc file with a .docx, which can make static detection of maldocs more difficult due to the compression native in the .docx format. This high-level change, combined with smaller changes in how their binary packer, command and control, embedded OLE objects, process names and powershell obfuscation are occurring, make tracking them and writing defensive signatures an ongoing challenge.
Additionally, they have become a part of the news cycle around the global health crisis: the Wuhan coronavirus. Through semi-targeted phishing campaigns, the attackers impersonate the CDC by sending fake emails with links and dangerous documents that then infect those who fall for the scam with the Emotet Trojan.
It is crucial that individuals and organizations of all sizes take this threat seriously and understand that no one is immune to falling victim. These threat actors don’t discriminate and are going to continue to look for new ways to profit off ransoms and theft by targeting anyone in their path. By having a variety of techniques, it’s harder for companies to track Emotet and detect it unless they have the right tools in multiple places.
Emotet malware: Layered defense
As their strategies become more apparent, and as new technologies are implemented to fend off Emotet, we can expect to see new techniques arise from threat actors (and in fact we have seen a round of back and forth in the last week between Emotet and JPCERT). Because of this, the best game plan for organizations to reduce their risk is by taking a proactive and layered approach.
Should an organization fall victim, the best response is a quick one. In these types of intrusion events, it is common to see the attackers gain initial access and seamlessly pass off the access to other criminal organizations, which expands the reach, depth and impact of an infection. This ends up a lot like having a house guest that won’t leave and then invites their awful and more destructive friends to the party.
The worst-case scenario for larger organizations in a successful Emotet infection is one that denies access to the environment and demands a ransom. Ransomware is estimated to have a global damage impact that cost organizations billions in 2019, so the sooner an organization is able to detect the infection, the better off they will be.
While antivirus remains critical, it is not bulletproof. Therefore, a strong multi-layered approach to defense includes an endpoint detection, a backup and response strategy, and a network monitoring capability. If an employee falls victim to a phishing scam, anti-malware protections are necessary to help contain the initial infection. However, if and when these fail, more advanced behavioral technologies can help detect these types of malware.
In addition to multiple layers of endpoint security, network visibility and network security monitoring allow organizations to have a deeper understanding of what and – more importantly – who has access to the network. Network visibility provides organizations with the ability to keep a constant eye on network traffic from endpoints to the internet and between each other. The more in-depth, proactive and extensive an organization’s network visibility capabilities are, the more likely they are to detect an infection early or catch lateral movement (the infection spreading between computers) before it turns into a widespread ransom event.
A communal approach
Beyond commercial technologies and companies, there is a communal approach that should be pointed out and which deserves credit as the main line of defense against Emotet.
Research groups and organizations are working together to disrupt Emotet’s activities and we want to name a few of them here:
- Abuse.ch, a non-profit that works to help internet service providers and network operators protect their infrastructure from malware (and hosts one of the best threat intelligence feeds with current Emotet indicators)
- Hatching.io, an up-and-coming sandbox provider
- CAPE sandbox
- Cryptolaemus (and those who support them), a research group specifically focused on fighting Emotet.
The individuals and researchers that are part of these groups spend countless (and often unpaid) hours fighting this particular criminal actor, which helps protect the millions of people targeted by this threat actor.
As the industry looks to predict the future of the Emotet botnet, organizations must continue to educate themselves about sophisticated threats. When we understand how threat actors are using the malware and what their technical capabilities are, we will all be in a better position to protect our organizations, and the sensitive data that lives within the infrastructure.