What Is Emotet?
In 2018, Allentown, Pennsylvania was crippled by a malware attack on its core computer systems.
The attack forced the city council to shut down large parts of its computer network resulting in widespread chaos - the police department was blocked from accessing its own databases, the city’s surveillance camera network was knocked out and the local authority’s finance department was unable to process transactions. The virus’ hold on the city was so great, it cost an estimated $1 million to recover.
The virus responsible is known as Emotet and is still a major cybersecurity threat today. In fact, it was identified as 2019’s most prevalent malware threat by Any.Run, a public service for malware testing.
So, it sounds like we’d better get acquainted with Emotet to help enhance our online security knowledge. Let us help bring you up to speed on what it is, how it has evolved and how it spreads.
What does Emotet do?
Emotet is a type of trojan banking malware. It typically spreads through phishing emails containing infected attachments or malicious URLs.
If these attachments are opened and infect your computer, Emotet will begin to communicate with its ‘command-and-control’ (C2) servers, retrieving the virus to run on the device and feeding stolen information back.
Since it was first identified in 2014, Emotet has evolved rapidly from a simple banking malware into a loader allowing all kinds of other malware to attack. For example, Emotet and ransomware will often tag-team an infected host. This is why Emotet is now considered one of the most destructive malwares ever created.
A brief history of Emotet
In 2014, Emotet’s original purpose was to intercept the web traffic of infected hosts, then steal bank login details and other sensitive personal information.
Later that same year, Emotet evolved to version 2, adding an Automatic Transfer System (ATS) - this technology didn’t just intercept banking logins, but automatically stole cash from bank accounts. Version 2 also saw the addition of the malspam feature, sending emails with branding that would be familiar to the recipient but contained infected attachments. This significantly fuelled its ability to spread.
In 2015, version 3 emerged. It was pretty much the same as version 2, but more sophisticated at avoiding detection. Version 3 Emotet could identify when it was in a sandbox (testing) environment and lie dormant making it difficult to study.
Creepy! But it gets worse.
In version 4, Emotet established ongoing contact with its C2 server. This meant once it infected a device, it could constantly retrieve updates and new malicious codes to wreak further havoc on the infected host.
In version 5, Emotet became much more than just a virus, developing into an entire business model for its creators.
Malware as a Service (MaaS)
You might be familiar with the term Software as a Service (SaaS). This refers to when a third-party provider hosts applications and makes them available to customers to use over the internet.
Well, the creators of Emotet began to leverage ‘Malware as a Service’ (MaaS). Through Emotet, they created a network of infected computers, also known as a ‘botnet’, which they could then rent out access to. This was great news for other wannabe cybercriminals. Whether they were a coder or not, MaaS opened up the world of cybercrime to anyone who wanted to steal data, issue ransomware or otherwise make a quick buck. This was obviously not such great news for the rest of us.
Who does it target?
According to the US Department of Homeland Security, Emotet targets everyone from government departments, to companies and individuals.
While early Emotet primarily targeted German speaking countries and their banks, today the spread is undeniably global and, as the people of Allentown found out, very much includes the United States.
How does Emotet spread?
An Emotet infection usually begins with a user receiving a phishing email containing a malicious attachment or link. It uses social engineering techniques to disguise the real intent of the email and tricks the user into opening the attachment or link, downloading the virus.
One social engineering tactic Emotet uses is to hijack an existing email conversation and send the user a ‘reply’. This makes the user feel comfortable opening the mail as it appears to be a genuine, trusted email - a conversation they were already engaged in.
The attachments are usually a Microsoft Office document, such as a Word doc or PDF, and disguised as something vaguely financial related such as an invoice.
Once opened the user is prompted to enable macros. Under normal circumstances, macros are very useful, allowing you to automate repetitive tasks in your Office documents. But when a cybercriminal has written the macro code, enabling it will instruct your computer to download the virus.
If your device is connected to a wider network, such as your business organization, Emotet will do everything in its power to infect the entire network. It will do this by:
- Scraping all parts of your computer for password account details and sending them back to C2.
- Working through a stored list of commonly used passwords in a brute-force attack to try and break into other systems on your network.
- Accessing your email account and sending out more phishing emails to your network. It can even analyse the text of your previously sent emails and use this to craft phishing mails to sound just like you.
How to detect the Emotet virus
We know Emotet has been designed to be difficult to detect. However, this doesn’t mean the best in the business have stopped trying.
The Australian Cyber Security Centre (ACSC) has identified and shared a list of Indicators of Compromise (IoCs) associated with Emotet. While these pieces of data mean absolutely nothing to most of us, IT professionals can use IoCs to help detect malware activity on the system. Organizations can add these codes to their firewalls and gateways to help improve their chances of detecting any Emotet activity.
How to prevent Emotet
Described by the Department of Homeland Security as “among the most costly and destructive malware affecting state, local, tribal, and territorial governments, and the private and public sectors”, there’s no doubt we all have a responsibility to take Emotet very seriously.
Here are some tips you can implement to protect yourself and your organization from Emotet.
- Stay educated
If you’re reading this you’ve completed the first step! Make sure you and your colleagues are fully aware of the dangers of opening infected email attachments and links and just how well disguised they can be. Make sure all staff are aware of the dangers associated with opening some email attachments. Even simple tips like hovering over links to verify their destination could make a big difference.
- Review Microsoft Office macro settings
Organizations should review the use of macros and consider blocking macros from the internet.
- Implement an antivirus program
Using a trusted antivirus with automatic updates will help prevent infection by Emotet.
- Keep operating systems up to date
Regular patches improve security, fix bugs and improve functionality. This will help to restrict opportunities for Emotet to move around your network and infect others, should you have a breach.
- Ensure your network is segmented
Similarly, partitioning your organization’s network into multiple smaller networks, as opposed to one large one, will help to contain an Emotet outbreak.
- Back up daily
Keeping up to date backups offline could be highly valuable should you lose access to your files and get hit with ransomware.
- Use email content scanning
Scanning emails will help prevent malicious content reaching users in the first place. Your organization could also mark external mails with a banner highlighting they are from an external source, making it easier to spot malspam.
- Adhere to the principle of least privilege
Not everyone needs administrative privileges to do their work. Keep your systems safe by granting the minimum necessary level of access. This will limit the number of sources Emotet could steal credentials from.
How to remove the Emotet virus
Emotet is not a new threat, but its constant evolution has made it particularly difficult to tame. If you do get infected with Emotet, follow the below first steps to help contain the virus and bring in security specialists to start work on your recovery.
- Identify, shutdown, and remove the infected devices from the network
- If possible, take the network temporarily offline to prevent reinfections, and stop the Emotet spreading
- Clean the infected devices
- Be mindful the infection could have already spread to your network so clean all devices.
As the people of Allerton will know all too well, cleaning up an Emotet incident can cost up to as much as $1 million. So like all malware, prevention is key.
Check out Clario’s all-in-one cybersecurity software which includes anti-phishing and anti-malware protection and stay in control of your privacy and security.