For any enterprise which has some sort of association with the financial sector, it is important to be familiar with the threat of Emotet. Yes, Emotet, a part of the banking Trojan family which is distributed through various different techniques and channels via spam campaigns. Reported first in 2014, this malware has continued to pop up in different forms and formats through regular intervals. Recently in July 2018, the United States Computer Emergency Readiness Team (US-CERT), a part of the Department of Homeland Security, released an alert about malware.
‘Costly and destructive malware’
According to the US-CERT notice, Emotet is, “an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.”
It goes on to add that “Emotet continues to be among the most costly and destructive malware affecting SLTT governments. Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.”
When a United States security agency decides to release a detailed alert for a particular type of malware, it is always a cause of concern. Around the time this alert was noticed, the Seqrite blog also did a detailed analysis of the Emotet malware and its evolution, which can be read here.
Mode of operation
In a nutshell, this malware spreads through PDFs and JS files attached in emails. It was also noticed that it was spreading through MS Office Word documents with macros disguised within it. Phishing emails are sent with suspicious attachments or links which lead to infected files. These files contain infected macros creating several copies in the system folders. After taking details of each running process, the malware starts encrypting the data and sends it to malicious servers.
There has been a spike in Emotet activity in November 2018 with the modus operandi being similar: malicious Word and PDFs which are presented as legitimate financial documents like invoices, bank statements, alerts, etc.
At this point, it is important that enterprises take proper security precautions to protect themselves against this rampant threat. A few measures they can employ to protect against the Emotet malware campaign are:
- Use cybersecurity solutions which offer proper spam and email protection. Seqrite’s Endpoint Security (EPS) solution offers spam protection which scans endpoint inboxes for spam, phishing attacks and unsolicited mails.
- Employ email protection even at the network level. Seqrite’s Unified Threat Management (UTM) solution offers Gateway Mail Protection which scans incoming/outgoing mail and attachments at the gateway level to block spam and phishing attacks before they enter the network.
- Keep network and systems updated with the recent patches.
- Create policies regarding suspicious emails so that all employees are aware of the course of action in the event of receiving a suspicious mail.
- Create proper awareness about phishing and social engineering by running training programs and ensuring compliance among employees about Emotet and other similar forms of malware campaigns.
As an IT security partner for your business, Seqrite provides comprehensive security from advanced cyber threats. To know more