How to Stop the Costliest & Destructive Malware Emotet

In the history of malicious software (malware) development, the malware called “Emotet” has emerged to be among the most costly and destructive.

According to the United States Computer Emergency Readiness Team (US-CERT), Emotet costs the U.S. state, local, tribal, and territorial (SLTT) governments up to $1 million per incident to clean up. Emotet victims are, however, not limited to the U.S. territory alone as this malware targets everyone regardless of location and affecting both in the private and public sectors.

What is Emotet? How It Works?

Emotet is a malware that was first detected by Trend Microin June 2014. Emotet first appeared as a banking trojan – a malware that’s designed to steal critical information stored or processed through online banking and payment systems. Emotet version 1 specifically steals bank account details by intercepting internet traffic, targeting victims in different parts of the world.

Through the years, a number of Emotet versions have been released into the wild, indicating that the creator or creators of this malware are constantly tweaking this malware, extending the malware’s functionalities and to further evade detection. Through time though, Emotet creators keep certain strategies and functionalities that made this malware more successful compared to its contemporaries. Here are some of Emotet’s notable strategies and functionalities:

1. Initial Infection via Spam Campaigns

All of the Emotet versions initially infect their victims through malicious emails sent as part of widespread spam campaigns. These malicious emails are made to look like legitimate emails, with subject lines such as “Your Invoice” or “Payment Details” from supposedly well-known parcel companies. These malicious emails contain malicious attachments or links.

Once the email receiver opens the malicious attachment or clicks on the malicious link, Emotet malware is then downloaded and installed into the email reciever’s computer using either the code embedded in the attachment or directly from the website in the case of link-based emails.

2. Dropper

Emotet primarily functions as a dropper or downloader of other malware. Once Emotet infects victims’ computers, it further downloads other malware such as Zeus Panda Banker or Trickbot.

Zeus Panda Banker first appeared in 2016. Similar with other banking trojans, Zeus Panda Banker injects malicious code into web pages, allowing the malware to steal credit card information and banking credentials as victims interact with legitimate sites. In 2018, Emotet began delivering the malware Zeus Panda Bankerinto victims’ computers.

Trickbot, meanwhile, first appeared in 2016. Like other banking trojans, Trickbot also steals data by injecting malicious code into web pages. Trickbot, however, is more than a banking trojan. This malware also harvests emails and login details. In 2018, Emotet began delivering the malware Trickbot into victims’ computers.

In July 2017, Trickbot added a worm functionality, that is, the ability to spread itself to other computers within a network without user interaction. Trickbot’s worm functionality comes from EternalBlue, EternalRomance and EternalChampion – leaked spy tools that exploit the security vulnerability in Windows Server Message Block (SMB). Computers powered by Windows operating systems use SMB for a wide variety of purposes such as file sharing and access to remote Windows services.

Nearly a month before Eternal Blue, EternalRomance and EternalChampion exploit were leaked to the public, Microsoftissued a security update or patch, fixing the security loophole exploited by these 3 leaked spy tools. 

In the past, Emotet, Zeus Panda Banker and Trickbot each were distributed through separate distinct spam campaigns. It appears that the creators of these different malware programs somehow formed an unholy alliance of delivering these different malware via Emotet.

3. Highly Infectious on a Network

Emotet can easily infect hundreds if not, thousands of computers on a network. Emotet spreads to additional computers within a network by using the leaked spy tool Eternal Blue.

Emotet also spreads to additional computers within a network through brute force – a form of attack that guesses and tries countless username and password combinations to gain access to a computer. Once Emotet’s brute force attack is successful, it then copies itself from the infected computer onto the newly infected one.

Emotet’s unholy alliance with Trickbot, both with worm-like capability, makes this malware highly infectious on a network. Emotet reinfection can also happen within seconds if the infected computer is cleaned without first disconnecting it from the LAN where there are other infected computers.

4. Polymorphic Malware

Traditional anti-malware programs find it difficult to detect Emotet as this malware is polymorphic in nature. Polymorphic malware is a type of malware that changes itself every time it’s downloaded to a vulnerable computer in order to avoid detection from anti-malware solutions.

Polymorphic malware typically encrypts its code every infection, changing its physical file makeup by altering the encryption keys each time.

Cybersecurity Best Practices

Here are some of the best cybersecurity practices to limit the effect of Emotet and similar malware:

  • Keep your organization’s Windows operating systems, specifically Windows server operating systems, up-to-date. Emotet and its partner malware Trickbot rely on hacking tools such as EternalBlue, EternalRomance and EternalChampion – exploits that Microsoft already issued a patch on March 14, 2017.
  • Implement email hygiene in your organization. Use an advanced email-filtering system that blocks spam emails. Also, train your staff on how to spot and block malicious emails.
  • Implement least privilege – referring to computer users’ access level. For instance, non-IT staff shouldn’t be allowed to install computer programs to prevent accident installation of malicious software like Emotet.
  • Educate your staff to use strong computer passwords and start using 2-factor authentication.

When you need help with IT infrastructure and information security, turn to our experts. We are available 24×7 to help you eliminate the uncertainty. Contact ustoday.

Leave a Reply

Your email address will not be published. Required fields are marked *