Since its initial discovery in 2014, the Emotet trojan has become an increasingly dangerous and persistent threat to users and organisations across the globe. The US Department of Homeland Security CISA division, refers to emotet as ‘among the most costly and destructive malware’ affecting from small to large scale organisations of both the private and public sectors.
Emotet started out as a way to steal users banking details, the scope and capabilities of this trojan have changed drastically.
From spreading itself across a network infecting other machines to skimming Outlook contact information to use in spear phishing attacks to stealing browser history, user credentials and installing other malware such as backdoors and ransomware, emotet can be extremely damaging to an organisation. Also, due to Emotet being polymorphic and able to constantly change and modify itself, it is increasingly difficult to detect and prevent against using typical signature-based methods with hundreds of unique payload variants discovered daily.
Phishing Email Example
Emotet trojans will generally arrive on a user’s machine via emails like the above example. Spam emails spoofing common brands and institutions (banks, government departments) with layouts and language designed to encourage the user to click on the malicious attachment or link to sites hosting the document for download.
Crimeware-as-a-service (CaaS) helps ensure that new versions of these email attachments can be generated and distributed on a near constant basis ensuring its ability to evade traditional AV on Zero-day.
We regularly see new Emotet detections and an example of a malicious emotet attachment that one of our agents detected had been created only 4 hours prior.
In a short span of time, a new .doc attachment was generated with a new file hash value which would be unknown to a traditional AV solution was attached and emailed to an unsuspecting user ready for the morning inbox clear-out.
At the time of the detection, our threat researcher uploaded a copy of the threat file to VirusTotal where only 8 other Vendors were aware of and had the file marked as malicious.
This means that on many other AV solutions, the file would have been allowed to run and would not have been detected.
For this example, the user clicks on the attachment unaware as the document starts delivery of the Emotet payload.
From the attack storyline on our management console, we can see that as soon as the doc is opened, it attempts to utilise PowerShell to run obfuscated code. Code obfuscation is one of the methods used by hackers to evade static analysis engines in Anti-Virus and help disguise their activity.
In this case, the PowerShell code attempts to create a network connection to reach out to a compromised domain online and download the additional emotet payload to the users’ machine to exploit further.
For any business, such an attack could cause severe consequences that would translate to high financial costs and reputational damage.
In this case, the threat was detected by the behavioural engine of the agent which was able to determine that the activity exhibited by the threat was malicious and then, autonomously killed and quarantined the threat from the users’ machine. After the threat was investigated by our security analysts, the threat was successfully remediated against without any disruption or compromise to the user’s machine.
Without our agent in place on the user’s machine, the result may not have been as favourable.
Alex James – Lead Security Analyst – Custodian360