This is an advisory on Emotet, an advanced, modular banking Trojan also serving as a dropper of other banking Trojans.
Emotet is a highly devastating banking Trojan. Its worm-like features ensure speedy network-wide infection, which are difficult to combat. Emotet infections have costed SLTT governments up to $1 million per incident to remediate. Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.
Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be one of the most expensive and destructive malwares, affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.
Emotet is disseminated through emails containing malicious attachments or links, using similar branding to that of the recipient.
As of July 2018, the most recent campaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices.
Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro-enabled Microsoft Word document included in the spam email. Once downloaded, Emotet attempts to penetrate the local networks through incorporated spreader modules.
Currently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator.
Once an available system is found, Emotet writes the service component on the system, which writes Emotet onto the disk.
Emotet’s access to SMB can result in the infection of entire domains (servers and clients).
To maintain persistence, Emotet injects code into explorer.exe and other running processes. It can also collect sensitive information, including system name, location, and operating system version, and connects to a remote command and control server (C2), usually through a generated 16-letter domain name that ends in “.eu.”
Once Emotet establishes a connection with the C2, it reports a new infection, receives configuration data, downloads and runs files, receives instructions, and uploads data to the C2 server.
Emotet artifacts usually mimic the names of known executables. Emotet creates randomly-named files in the system root directories that are run as Windows services. When executed, these services attempt to propagate the malware to adjacent systems via accessible administrative shares.
Note: Privileged accounts are not to be used while logging in to compromised systems during remediation, as that might speed up the propagation of the infection.
If you think you are a victim of a cyber-security attack. Immediately send an email to firstname.lastname@example.org for a rapid response.