Emotet Malware Campaign

Published on 20 Dec 2019

Updated on 20 Dec 2019

Background

There are reports of an ongoing Emotet malware campaign against businesses and organisations. Emotet was first discovered as a banking Trojan designed to steal financial information. Victims get infected after clicking on embedded hyperlinks or opening document attachments found in malicious emails that downloads the Emotet malware. The malware will then use the victim’s email to send out additional phishing emails to further spread the malware.

It was detected that later versions of Emotet came with additional malware delivery services. One of the more common secondary malware that is downloaded onto infected machines is the Trickbot Trojan. Trickbot allows an attacker to harvest emails and credentials, move laterally within a network, and deploy other malware to the infected networks. The new Emotet variants are also capable of evading anti-virus detection when the definitions are not kept up-to-date. Once infected, the malware establishes persistence and attempts to propagate in local networks. 

Globally, there have been cases of Emotet infections that have led to ransomware attacks reported.

Recommendations

Staying vigilant is key to avoid falling victim to Emotet. Users are reminded not to click on links or open attachments found in suspicious-looking emails received from unsolicited senders. In addition, users are recommended to take the following measures to enhance their system protection against Emotet:

1. Use an Anti-Virus Software

Many commercial anti-virus software can detect and block most known variants of Emotet and secondary malwares, like Trickbot. Use anti-virus with automatic updates of signatures and software, and perform a full scan of your machine(s) regularly.

2. Update Your Software Regularly

Keep the operating system and software on your machine updated with the latest security patches to prevent malware infection.

3. Enable Microsoft Office macros only when required

In most cases, Emotet’s initial infection was via an embedded macro in a Microsoft Office or PDF document. Users are advised to set security policies to disable macros by default, and limit the permissions to allow macros execution, to reduce the likelihood of initial access via this method.

4. Set Email Filters

Users are recommended to implement filters at the email gateway to filter out emails with known malware spamming indicators, and block the suspicious IP addresses at the firewall. Suspicious-looking emails should be reported to the IT department for isolation and investigation. Regularly review Outlook account rules that may be set to auto-forward all emails, which could result in a data breach if there is an infection.

5. Disable Unnecessary Services

The Emotet malware often takes advantage of vulnerabilities found in background services to spread to other computers in the network. The Remote Desktop Protocol (RDP) is one such example. Users are recommended to disable such services if they are not required, to prevent the malware from exploiting such services.

6. Install Application Control

Users can consider installing application control software that provides application and/or directory whitelisting. This allows only approved programs to run while restricting others and is a good security practice to protect a computer system.

7. Perform File Backups Regularly

As the Emotet infection may also lead to a ransomware, it is important to maintain regular data backups to allow data recovery in the event of an Emotet infection. As ransomware commonly infect connected storage devices, ensure that your backups are stored offline or are physically disconnected when not in use.

References

https://www.us-cert.gov/ncas/alerts/TA18-201A
https://www.cyber.gov.au/threats/advisory-2019-131a-emotet-malware-campaign