Emotet is a highly sophisticated and destructive malware that is causing huge problems for organisations around the world.
Emotet first emerged in 2014 as a banking Trojan designed to steal banking credentials and other sensitive data. However, within the last 5 years, the malware has rapidly evolved into one of the world’s most dangerous cyber threats.
According to a US Homeland Security alert published in 2018, “Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors. It’s difficult to combat and Emotet infections have cost SLTT governments up to $1 million per incident to remediate.”
Emotet uses its worm-like capabilities to rapidly spread to other connected computers on a network. This means that the infection can spread like wildfire across an organisation without any user interaction.
It has also gained new functionality to make it even more menacing. Emotet can add an infected machine to a botnet to perform DDoS attacks or it can be blended with other forms of ransomware for maximum destruction.
The malware is extremely versatile and is being adopted by many cyber groups due its polymorphic behaviour. It can effectively change itself every time it’s downloaded to evade signature-based Anti-Virus detection.
There has been a massive spike in Emotet attacks across the world, and in February 2018, the city of Allentown, Pennsylvania was brought to its knees when it was attacked with the self-replicating malware.
Some of the city’s financial and public systems had to be shut down and the attack is reputed to have cost the city around $1 million in damages.
The majority of Emotet infections start with a simple Phishing email. The email may appear to come from a legitimate source with the official branding and logos of a well-known company. As with all phishing emails, the ultimate aim is to pressurise the recipient into clicking a malicious link or to download an attachment.
As soon as the recipient clicks on the link or opens a file, they will unwittingly be enabling macros that initiate the infection process. As soon as the device is infected, Emotet will start trying to spread to other devices on the network.
Emotet will scan through contacts lists and start bombarding everyone on the list with malicious emails. As the email appears to come from a trusted source, users will be more inclined to click on the accompanying links or open an attachment.
If a connected network is present, Emotet will attempt to spread using brute force attack. It will try different combinations of usernames and passwords to see if it can access the network this way.
Another way Emotet propagates is through exploiting Eternal Blue/Double Pulsar Vulnerabilities. These are the same vulnerabilities that were exploited in the infamous WannaCry and NotPetya attacks that caused huge global disruption.
As we’ve seen above, Emotet can rapidly spread to other computers connected to the network unless it’s contained and eradicated as quickly as possible. If you believe your device or network has been compromised by Emotet, you should immediately take the following steps:
Phishing is the number one cause of all cyber-attacks and continues to prove one of the easiest ways to steal valuable data and deliver ransomware. MetaPhish has been created to provide a powerful defence against these threats and enables organisations to find out just how susceptible their company is to phishing. Get in touch for further information on how MetaPhish can be used to protect your business.