Emotet Malware – A Guide to the Banking Trojan

June 11, 2019 10:19 am Geraldine Strawbridge

Emotet is a highly sophisticated and destructive malware that is causing huge problems for organisations around the world.

Emotet first emerged in 2014 as a banking Trojan designed to steal banking credentials and other sensitive data. However, within the last 5 years, the malware has rapidly evolved into one of the world’s most dangerous cyber threats.

According to a US Homeland Security alert published in 2018, “Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors. It’s difficult to combat and Emotet infections have cost SLTT governments up to $1 million per incident to remediate.”

Why is Emotet so dangerous?

Emotet uses its worm-like capabilities to rapidly spread to other connected computers on a network. This means that the infection can spread like wildfire across an organisation without any user interaction.

It has also gained new functionality to make it even more menacing. Emotet can add an infected machine to a botnet to perform DDoS attacks or it can be blended with other forms of ransomware for maximum destruction.

The malware is extremely versatile and is being adopted by many cyber groups due its polymorphic behaviour. It can effectively change itself every time it’s downloaded to evade signature-based Anti-Virus detection.

There has been a massive spike in Emotet attacks across the world, and in February 2018, the city of Allentown, Pennsylvania was brought to its knees when it was attacked with the self-replicating malware.

Some of the city’s financial and public systems had to be shut down and the attack is reputed to have cost the city around $1 million in damages.

How does Emotet infect machines and spread?

The majority of Emotet infections start with a simple Phishing email. The email may appear to come from a legitimate source with the official branding and logos of a well-known company. As with all phishing emails, the ultimate aim is to pressurise the recipient into clicking a malicious link or to download an attachment.

As soon as the recipient clicks on the link or opens a file, they will unwittingly be enabling macros that initiate the infection process. As soon as the device is infected, Emotet will start trying to spread to other devices on the network.

Emotet will scan through contacts lists and start bombarding everyone on the list with malicious emails. As the email appears to come from a trusted source, users will be more inclined to click on the accompanying links or open an attachment.

If a connected network is present, Emotet will attempt to spread using brute force attack. It will try different combinations of usernames and passwords to see if it can access the network this way.

Another way Emotet propagates is through exploiting Eternal Blue/Double Pulsar Vulnerabilities. These are the same vulnerabilities that were exploited in the infamous WannaCry and NotPetya attacks that caused huge global disruption.

What can you do to prevent Emotet infection?

  • Keep your software up to date with the latest security patches from Microsoft – Emotet will often take advantage of the Windows Eternal Blue Vulnerability. Regular patching will fix security vulnerabilities, remove outdated features and update drivers.
  • Follow good security practices to minimise the risk of infection – Avoid clicking on links or downloading attachments from unknown sources. Red flags can include: a generic greeting, poor grammar, threatening language, a mismatched URL, spelling mistakes, claims of prizes or a request for sensitive information such as a username or password.
  • Cyber Security awareness training – Emotet infections rely heavily on a user opening a phishing email. To ensure that employees can effectively recognise these threats, it’s vital they receive regular cyber security awareness training. The training will help staff defend your organisation and reduce the likelihood of networks becoming infected with Emotet.
  • Use Anti-virus software – Emotet has been highly successful in avoiding detection from many forms of anti-virus software solutions. However, it’s still to vital invest in a trust worthy anti-virus solution that uses behaviour blocking technology in addition to signature-based protection.
  • Create a strong and complex password – A strong password should be between 8-15 characters long, a mix of uppercase and lowercase letters and include numbers or symbols. A passphrase can also be used to memorise longer and more complex passwords. To make the passphrase secure: Use an easy to remember but random phrase, add spaces, substitute letters with numbers and add extra characters to make it even more secure.
  • Use Two Factor-Authentication (2FA) – Two-Factor-Authentication adds an additional layer of security to the authentication process by making it harder for a hacker to gain access to a person’s device. In addition to a password, two-factor authentication requires a second piece of information to confirm the user’s identity.
  • External email banner – Use an email banner to notify employees that an email has come from an external source.
  • Block questionable files and attachments – Consider blocking attachments that are commonly associated with malware, such as .dll and .exe, and attachments that cannot be scanned by antivirus software, such as .zip files.

How to remove Emotet from an infected device

As we’ve seen above, Emotet can rapidly spread to other computers connected to the network unless it’s contained and eradicated as quickly as possible. If you believe your device or network has been compromised by Emotet, you should immediately take the following steps:

  • Run an anti-virus scan on the system and take action to isolate any infected computers based on the results.
  • Identify, shutdown, and take any infected computers off the network.
  • Consider temporarily taking the network offline to stop the spread of malware.
  • Identify the infection source.
  • Clean each computer one by one to prevent being re-infected.
  • Change and update passwords for domain and local credentials.

Phishing is the number one cause of all cyber-attacks and continues to prove one of the easiest ways to steal valuable data and deliver ransomware. MetaPhish has been created to provide a powerful defence against these threats and enables organisations to find out just how susceptible their company is to phishing. Get in touch for further information on how MetaPhish can be used to protect your business.