US-CERT has published a joint Technical Alert (TA18-201A) warning of a cyber campaign involving Emotet Malware. Malicious activity was observed as recently as this month.
An excerpt of the malware threat as revealed in the US-CERT alert:
“Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.”
“Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.”
SLTT government costs to remediate Emotet infections have also reached up to $1 million per incident.
Attackers have been disseminating Emotet via phishing emails containing malicious attachments or links.
“As of July 2018, the most recent campaigns imitate PayPal receipts, shipping notifications, or ‘past-due’ invoices purportedly from MS-ISAC,” US-CERT added in the alert.
Emotet also uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper and a credential enumerator.
The malware infection process is further illustrated in the following diagram from the security advisory:
The alert also added this warning: “it is essential that privileged accounts are not used to log in to compromised systems during remediation as this may accelerate the spread of the malware.”
Aside from the typical safeguards needed to protect systems (such as AV, patching, sound security awareness of phishing threats, etc.), the following controls highlighted below are also recommended to help minimize impact of the Emotet threat:
Use Group Policy Object (GPO) to set a Windows Firewall rule to restrict inbound SMB communication between client systems. At minimum, create a GPO that restricts inbound SMB connections to clients originating from clients.
Email administrators should mark/label external emails with a banner denoting the email is from an external source.
Adhere to least privilege principle (i.e., don’t allow users to login with accounts that have full system/admin privileges that could be used to install or further spread malware to systems).
Implement Domain-Based Message Authentication, Reporting & Conformance (DMARC), an email validation system designed to minimize spam emails by detecting and preventing email spoofing using Domain Name System (DNS) records and digital signatures.
The Technical Alert was the result of Multi-State Information Sharing & Analysis Center (MS-ISAC) analytic efforts, in coordination with the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC).