How the pandemic has reinvigorated Emotet [Q&A]
The Cyber Security and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security recently warned of an increase in the group behind the Trojan horse Emotet.
L’Emotet has been around for some time and is mainly associated with bank trojans, but this year the increase in activities has spread to other areas.
But what motivates these new attacks and how can companies defend themselves? We spoke to Matt Locke, Varonis’ data security specialist, to find out.
BN: Give us some information about the Emotet, what it is and how it works.
ML: Emotet was first spotted in the wild in 2014, when it mainly functioned as a Trojan horse intercepting bank data via man-in-the-browser attacks. Since its inception, malware has undergone many developments and has become a kind of versatile tool that can be used for various malicious activities.
The malware is polymorphic, which is why specific compromise indicators (IOCs) are often adapted. As a result, security solutions based on loading URL threat signatures, C2-IP/port combinations and spam patterns are very difficult to detect on Emotet. In addition, there are three separate botnets with their own supporting infrastructure, making them even more difficult to detect.
Within the network, Emotet can use various methods for distributing, increasing permissions, creating persistence and filtering data. It can also be used as a charger for other loads such as Qbot and Trickbot.
BN: Do we know who’s behind the Trojan?
ML: Emotet is known as the signature weight of the actor of the threat, called TA542, also known as the spider mummy. Since its first appearance in 2014, TA542 has built a reputation as one of the most productive and sustainable players. In addition to using Emotet’s constantly evolving malware, the company specializes in large-scale global attacks that produce millions of malicious messages for various industries.
After a period of relative calm, the TA 542 returned with its revenge, armed with an even more powerful version of Emotet, numerous botnets around the world and treacherous new methods to exploit the pandemic.
BN: What’s the motive for the last attack wave?
ML: The recent resurgence of emotion attacks has largely focused on the global COVID 19 crisis. TA542 abandoned previous phishing tactics such as false invoices and adapted to the use of fear and uncertainty about the virus, and already in February attacks in the wild could be observed. These target users were distributed by e-mail throughout Japan, allegedly by social security services for the disabled.
Over the course of the year – and the pandemic did – the emotional attacks continued to increase and spread around the world. Other attacks have been launched via email, impersonating organs such as the CDC in the United States, and generally ask victims to click on the link for important information about viral diseases in their area.
BN: How do intruders get online?
ML: Like previous incarnations over the years, Emotet is mainly distributed via phishing emails. Three global botnet power campaigns, each with its own C2 infrastructure, update calendars and malicious spam patterns. The latest wave of emotive emails contains password-protected ZIP attachments designed not to be scanned by email filters.
These emails also contain macro-compatible attachments or malicious links that aim to infect victims and place them in their army of spam accounts. HTTP POST requests returned to the C2 server steal the victims’ email messages and contact lists and allow the attacker to impersonate and respond to existing email streams with malicious links. This can happen automatically, or the threat agent can take control of the account immediately. In any case, it is a powerful and dangerous way to spread the sphere of influence of emoticons, because people and machines are likely to be misled by an email from a trusted party.
Emotet is an extremely versatile tool that can be used for a variety of malicious activities. It has a large number of plugins that can be downloaded from the C2 server to expand and customize its capabilities. For example, attackers could use a side-scrolling module to reproduce through SME operations such as EternalBlue.
Emotet allows attackers to retrieve privileged account data in plain text via Active Directory or by searching for passwords stored in the system. From there, an attacker can perform a number of actions, including accessing more sensitive data and necessary systems and adding additional users to the domain administrator groups.
BN: What steps can companies take to protect themselves?
ML: The Emotet is one of the most dangerous and effective cyber weapons in the world. It also has a high degree of adaptability, which makes it very difficult to predict how it will be used in the future. The extensive and complex network of TA542 botnets also means that the threat actor has unparalleled reach and is able to rapidly hit a large number of global targets.
But no matter how impressive Emoteth is, he’s unstoppable. However, organizations need a robust, layered defense strategy to address the unpredictability of these attacks. It is very important to master the basics, including training end users in detecting phishing alerts and installing an effective email filtering solution.
Strict patch management is also necessary because it prevents malware from moving sideways in the network. In particular, organizations need to be absolutely sure that no machine is vulnerable to EternalBlue.
Organizations also need to minimize the area of attack, for example, by proactively identifying vulnerabilities such as unused user accounts, comparing permissions with records, and blocking them before they can be exploited.
Finally, companies need to ensure that they have advanced detection capabilities to detect abnormal behaviour, such as users who have access to an unusual amount of data compared to the normal amount of data. While the Emotet is constantly evolving to avoid signature-based detection, the data-centric monitoring of Active Directory, DNS, VPN and proxy servers will help detect signs that the Emotet is working.
Photo credits: wk1003mike / Shutterstock
why is it difficult to stop emotet,emotet download,emotet pronunciation,emotet github,what is destructive malware,emotet 2020