Remember Emotet, the banking trojan that first appeared around 2014? Unfortunately, it continues to be one of the most costly and destructive pieces of malware ever engineered. Weaponized by hackers to steal data and spread Ryuk and other ransomware, Emotet has affected government and public sector organizations around the world. The damage has been significant, costing an average of $1 million to remediate each incident.
Traditionally, Emotet has been distributed through infected emails containing malicious attachments or links. According to a Department of Homeland Security alert, examples have included fake PayPal receipts, shipping notifications and ‘past-due’ invoices.
The difficulty with Emotet stems from its ability to evade typical signature-based detection methods. It maintains persistence by auto-starting registry keys and services, and by using DLLs to constantly evolve. This skill has made Emotet more dangerous, allowing it to install malware on victims’ computers that can steal data, collect emails, enable ransomware and propagate to other computers. The effects have been devastating. In one of the most recent attacks, 600 United Nations personnel were targeted using an official-looking email from the Permanent Mission of Norway, which contained an attachment that downloaded Emotet to U.N.’s network.
Emotet’s latest tricks
The latest threat from Emotet is just one more footnote in the story of its evolution. As described in a Threatpost article, Emotet is now able to infect nearby, insecure Wi-Fi networks – and devices connected to those networks – through brute force loops. It will continually bombard the network with commonly used passwords and login credentials, looking for vulnerable devices. Once it has successfully spread to a Wi-Fi network, it then automatically attempts to infect any other devices using that network, jumping through the network very quickly.
Detecting Emotet on an infected device can be difficult, primarily because it’s able to change form as it moves from one computer to the next. If it fails to gain access through administrator credentials, it attempts to infect other devices through different system processes. Once the device is compromised it can then collect personally identifiable data, credit card information, banking information and more and send that data back to cybercriminals through cookies in HTTP requests.
One of the best ways to stop Emotet in its tracks is to teaching employees how to spot suspicious emails. In addition, researchers recommend that administrators use stronger passwords. That means not leaving routers and other equipment with their original factory password settings.
Make sure that all the devices on the network are secure. Insecure devices are one of the easiest and most common ways for Emotet to infiltrate a network. Scanning tools can be used to find these devices, and once they’re found they should be patched with the latest endpoint protection. Speaking of patches, it’s vital that all endpoint devices are patched and kept up to date.
Knowing that Emotet is often downloaded onto a device by someone clicking on an infected email or document link, it’s wise to monitor all endpoints for new services or applications being installed without permission. This should include any suspicious services or processes that are running from temporary folders. But by the time an infected device is discovered, it may already be too late. Although a bit more drastic, blocking (rather than just disabling) PowerShell for most users can be an effective way to completely avoid having a user accidentally download Emotet.
As the mobile workforce continues to grow, traditional firewalls and other tools used to keep the corporate perimeter safe are less effective at keeping devices and data secure. Anti-malware technology like Office 365 Advanced Threat Protection can be an invaluable tool to detect and block malicious attachments. In a similar way, it’s important to find vendors like NetMotion that can deliver end-point security and remote access designed specifically for mobile devices. This is one of those cases when prevention is absolutely better than the cure.