Emotet returned from vacation and is active again – How to reduce risk in your environment?

Emotet trojan campaigns have surfaced again after a slower period. The trojan has been active irregularly since its inception in 2014 and the campaign was on a temporary hiatus after February, but it has become highly active again with new attacks. Finnish National Cyber Security Centre issued a high-level warning about the malware on 18^th of August about the trojan spreading actively in Finland.

Emotet is a modular trojan deployed as a first stage malware. Upon successfully infecting a system, it will deploy either a banking trojan, an infostealer or ransomware. An easier and quicker description would be that Emotet is a trojan that is used to open the gates for other malicious operations. Emotet is usually distributed in massive email campaigns utilizing especially attachments with Microsoft Office macros to gain access and steal target information like emails and contacts and send that information to its command channel. Using this information, it targets new victims by spoofing emails and takes advantage of the real email conversations and contacts. This makes it really difficult for an end-user to spot the phishing emails as the messages seem legit and also the end-user education becomes more and more difficult and not even necessarily effective. Emotet is regularly updated and modified and it is capable of updating itself and the command-and-control channel making it difficult to spot with traditional antivirus signatures or on the network level.

Emotet is often used to gain initial access to organizations by more advanced attackers and after the initial foothold the attacker usually targets a fast and simultaneous network-wide targeted ransomware attack. This is possible by one of Emotet’s capabilities to brute-force passwords and allow attacker to move laterally in the network to other devices and infect them. Often after Emotet infection the second or third stage attacks can involve more sophisticated attacker tools and techniques that are harder to detect with traditional preventive security controls. Emotet is also up for rent in the cybercrime world, so it is possible that they are hired by other malware gangs (ransomware or infostealers) to target certain organizations.

The team providing F-Secure’s Managed Detection and Response service Countercept has some very recent experiences in detecting and responding to Emotet attacks in organizations, hence the threat is real and it should be taken seriously.

Some tips for reducing the risk of infection in your organization

Office macros

• Disable Microsoft Office macros in your environment
• Allow execution of macros to only those users that really need them and guide these users to never activate macros from documents coming via email even if they come from a trusted source or familiar email conversations
• If possible, filter document containing Office macros from your email

Powershell

• Use PowerShell in Constrained Language mode in regular workstations: https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/
• In addition to Constrained Language Mode, control the PowerShell execution with solutions like Application Control, Applocker, Device Guard so that you can choose who can run PowerShell and which scripts and how they can be executed
• Disable PowerShell 2.0 because it can be used to bypass these control
• Set PowerShell execution policy to allow only signed scripts
• Turn on PowerShell logging and monitor the logs
• Use EPP products that can leverage AMSI-integration so that the scripts in execution can be analyzed during runtime. F-Secure EPP products utilize AMSI.
• Monitor and detect 24/7 abnormal PowerShell execution and respond to anomalies. Utilize EDR/MDR solutions to gain visibility and respond tools

Other important information

• Make sure that the endpoint protection products are up to date and configured properly and it is not only relying on signatures for the detection. For example, F-Secure DeepGuard is able to detect and block the malicious documents upon execution to prevent any additional malware from being installed to the system
• Make sure to patch software and operating systems
• Utilize EDR/MDR to monitor your environment 24/7 to identify, contain and remediate anomalies
• Inform your users about the severe risk of opening email attachments or links. For users it may be impossible to identify malicious Emotet phishing
• Read up-to date information from your local National Cyber Security Centre and security provider

Further reading:

Finnish National Cyber Security Centre alert on Emotet:
https://www.kyberturvallisuuskeskus.fi/en/emotet-malware-actively-spread-finland

Help to Detect and Respond as a service: https://www.f-secure.com/en/business/solutions/managed-detection-and-response/countercept

More from Emotet in the following links and earlier blog posts:
https://www.f-secure.com/v-descs/trojan_w32_emotet.shtml
https://blog.f-secure.com/coronavirus-email-attacks-evolving-as-outbreak-spreads/
https://blog.f-secure.com/hunting-for-emotet/

Tuomas Miettinen
Solution Consultant
F-Secure Countercept, Managed Detection and Response