When it comes to dangerous malware, there’s one specifically that seems to always come to mind.
Beginning in 2014, Emotet attacks have plagued IT infrastructure worldwide.
What once started as dangerous malware quickly turned into a ruthless business model, leading those involved with the spread of attack to become known as the ‘Emotet gang’.
Then, in March of 2021, a coordinated multi-national law enforcement effort temporarily disabled Emotet, seizing several hundred management servers during “Operation Ladybird.”
Though the Emotet gang stayed quiet for almost a year, they’re back – and testing new techniques.
To understand how to protect yourself against Emotet, you’ll first need to know how it spreads and affects organizations.
Only then can you keep your business safe while Emotet returns.
How Emotet Works
Emotet began life as a trojan, aimed at stealing banking information from financial institutions.
However, it soon evolved into a Malware-as-a-Service (MaaS) style gang that delivered other malware for their customers.
To infect host machines, Emotet used spearphishing attacks to deliver infected files. Early on, Emotet used JavaScript, before changing to Word documents containing malicious macros.
Once infected, the installation of Emotet would contact a command and control (C2) server using macros or Powershell commands, in order to receive additional instructions and payloads.
Common malicious modules steal credentials, take over email accounts, and turn the victim into a spam source.
Emotet has also been known to deliver Cobalt Strike payloads, allowing the gang or a partner to use the Red Team tool to explore their victim’s network.
Emotet Returns With New Methods
Like any cyberattack, Emotet’s methods evolve over time.
Now, Emotet is exploring new types of attacks using low-volume phishing campaigns and social engineering.
For example, Microsoft cut off a major infection vector when it decided to deny internet macros by default for Microsoft Office applications.
In response, Emotet switched to Excel Add-in files which display as Excel files. However, they have .xll extensions and behave more like .dll files.
Emotet adds credibility to the attack by delivering the files through OneDrive URLs which most companies can’t block.
Some new Emotet attacks use Windows shortcut files (.LNK) that contain PowerShell commands. Additionally, the group also switched to 64-bit modules to evade signature-based antivirus (which is aware of Emotet’s older 32-bit modules).
It’s the cycle of cybersecurity in action: cyberattacks happen, systems are patched, and attackers evolve.
Stopping this Dangerous Malware
To stop Emotet (or any malware), your organization should:
- Check for and remove the infection
- Check for vulnerabilities
- Address those vulnerabilities
- Determine potential security improvements
- Monitor for possible future attacks
While it’s a basic recipe for success against any malware, let’s look at Emotet in particular.
Check for Infection
To start with, Japan CERT released an upgraded EmoCheck utility to detect the 64-bit versions of Emotet.
And thankfully, you can expect many antivirus and EDR solutions to update their signature-based defense against new files as Emotet returns.
But, you’ll also want to block access to your networks for domains associated with Emotet’s delivery or executables.
However, since Emotet’s malware evolves so quickly, you must assume the group will continue to use new files, methods, and URLs. They won’t remain stagnant for long.
Since these new versions of Emotet malware act as zero-day attacks, you’ll also need to watch for unauthorized use of Powershell, Cobalt Strike, and other Emotet favorites.
If you do discover an attack, immediately activate your incident response strategy to isolate and remediate your systems.
Check for Vulnerabilities
Once Emotet gains access to a system, they often try to exploit other vulnerabilities in your IT environment.
Beat them to the punch and perform penetration testing and vulnerability scans to know what will be found.
Address Vulnerabilities
As penetration tests and vulnerability scans locate issues, rand and resolve the problems based upon the level of risk to your organization.
All vulnerabilities should be noted and a plan for correction developed.
If necessary, some risks can be mitigated temporarily – as long as they’re resolved later when budgets and technologies improve. They only problem here though, is that an issue resolved ‘temporarily’ often becomes forgotten.
Address Potential Security Improvements
While older technologies such as firewalls and antivirus provide protection, upgrading to newer technologies further reduces the risk of attack.
For example, you can upgrade firewalls to next-generation models, while you can upgrade antivirus to managed endpoint detection and response (EDR).
Monitor for Possible Future Attacks
Even the best security in the world is undone by a distracted employee having a bad day. All it takes is one wrong click.
And, over the long run, the sheer volume of attacks makes them statistically likely to occur.
Cybersecurity monitoring keeps an eye on systems to catch these successful attacks rapidly and minimize damage.
Final Thoughts
It’s hard to stay on top of every new attack. With the constant evolution of dangerous malware, worms, and viruses, you’re not alone if you feel overwhelmed.
Some organization may already be under attack, while others don’t want to deal with the difficulties of countering sophisticated attackers like Emotet.
If you’re in that sort of position, it’s okay – you still have options. You can always reach out for assistance.
Contact Blue Bastion at 412-349-6680 or fill out the form below and our experts will meet with your team in a no-obligation consultation.
We can outline possible next steps and explain potential technology upgrades in simple terms, or in as much technical detail as your IT team needs.
