One of the most active malware threats in the past few years, Emotet (also referred to as Heodo or Geodo), has been recently seen in new phishing spam campaigns, after a five-month pause in activity. When it was initially spotted in 2014, it acted as a botnet that stole banking credentials. Now used as a backdoor, Emotet loads third-party payloads and modules used for spam, stealing credentials, email harvesting and spreading across local networks, according to Proofpoint researchers.
Researchers have observed Emotet installing a Trojan known as TrickBot, a type of advanced malware that infects Windows machines. TrickBot can download modules that attempt to spread laterally through your network, steal Active Directory databases, harvest login credentials from browsers, steal RDP (Remote Desktop Protocol) credentials and OpenSSH keys and more, according to BleepingComputer.
It has also been known to allow attackers access to infected networks, enabling them to install certain types of ransomware by opening up a reverse shell. Emotet has been noted as an initial entry point linked to the eventual infection of the Ryuk ransomware, often a few weeks later in the infection chain. This indicates different attackers may be collaborating on techniques to move throughout victims’ environments. Ryuk is a type of crypto-ransomware first discovered in August 2018, targeting enterprises while asking for large Bitcoin ransom payments, according to Malwarebytes.
How Does Emotet Spread?
Like many other types of ransomware and malware, Emotet typically begins with a phishing email sent to a user, with the most common subjects referring to transactions, payments or invoices. The email body content similarly refers to missed or upcoming payments and financial statements, conveying a sense of urgency and importance as all good phishing emails do. Finally, Microsoft Word document attachments with macros and malicious URLs contain downloaders that attempt to download the Emotet payload.
According to SiliconAngle, campaigns also involve a malicious Microsoft Office document that presents an Office 365 error to the user. After the user approves running the macros, the code launches PowerShell to retrieve Emotet from a compromised site.
The use of legitimate, existing tools in a Windows environment like PowerShell is known as a Living-off-the-Land technique that attackers employ to evade common detection tools and hide their activity. PowerShell accounted for 22% of all dual-use tools used as malware downloaders, according to a Symantec analysis, with Windows Management Instrumentation (WMI) and the command line tool as the three top tools used by attackers for malicious means.
Back in April, Blumira’s security team detected a PowerShell execution policy bypass attempt, which we detailed in Analysis of a Threat: PowerShell Malicious Activity. Our on-demand webinar, Windows Logging Tips for Better Threat Detection also gives you some free guidance on getting visibility into your Windows environment.
Protecting Against Emotet
To detect and protect against malware like Emotet, organizations can use email security technology like Proofpoint Advanced Threat Protection to help detect known threats, malicious attachments and unsafe URLs (specifically, with Proofpoint Targeted Attack Protection). Or, use a sandbox security platform like Palo Alto Networks Wildfire that integrates with your next-generation firewall to detect and analyze known or unknown attacks, including malware.
Other security tools you could use for an additional layer of defense, according to Blumira’s Director of Security Mike Behrmann, include cloud-based, next-generation antivirus (NGAV) that can help you identify threats faster based on behavioral detection.
Integrated Security for Advanced Threat Detection & Response
Blumira easily integrates with both Proofpoint and PAN. That means when you connect these tools with Blumira’s cloud SIEM platform, you can start sending logs and events to us for parsing and analysis.
Our pre-built detection rules identify any attacker techniques or malware that matches either Emotet’s profile or that of the malware and ransomware that can follow as a result (including lateral movement or any indicators of stolen credentials and unauthorized access attempts). Then we alert your team and provide a playbook on how to respond, block the threat, or next steps for remediation.
To keep our platform up to date on the latest threats, Blumira ingests many different types of data feeds. One of the many threat intelligence feeds we use is Abuse.ch’s Feodo Tracker that includes blocklists of malicious botnet servers associated with Dridex, Emotet/Heodo.
To protect against attacks like Emotet, your security team needs to automate their threat detection, investigation, analysis and response. Blumira helps surface the most important findings with contextual evidence to save your team the time to go into every security tool and pull information, then decide what to do next. We automate the incident response process to provide both visibility and speed for security operations so you can better protect your organization against malware attacks.