Emotet Epidemic: Infections Costing Orgs Up to $1 Million Per Incident
US-CERT alert sounds the alarm on Emotet, one of the most costly and destructive malware stains currently active.
What's happening? On July 20, the United States Computer Emergency Readiness Team (US-CERT) issued an alert highlighting the destructive qualities of Emotet, an extremely active banking trojan that has hit state and local governments particularly hard.
What is Emotet? A banking trojan that has evolved to become primarily a dropper for other banking trojans such as Trickbot, Zeus Panda Banker, IcedID, Qakbot, and others.
How is Emotet delivered? Phishing emails with malicious attachments or links. Warning: Because Emotet hijacks victim email accounts to send out these phishing emails, they may appear to come from someone the recipient knows and trusts.
What makes Emotet so dangerous? Emotet's potent combination of persistence mechanisms and worm-like features results in rapidly spreading, network-wide infections that are difficult to contain and remove. Attacks have cost victims up to $1 million to remediate.
What to do: Prioritize preventing infections in the first place by training employees, implementing DMARC, and investing in advanced endpoint protection (Emotet is polymorphic and can evade traditional antivirus). In addition, put barriers in place to block malware like Emotet from spreading. Restrict inbound SMB communication between client systems and adhere to the principle of least privilege.
Last Friday, July 20, the United States Computer Emergency Readiness Team (US-CERT) issued an alert highlighting the serious threat posed by Emotet — an extremely active banking trojan it describes as "among the most costly and destructive malware" affecting governments as well as the private and public sectors.
We've been following Emotet closely for over a year now, and have watched it evolve into an increasingly prolific and pervasive menace. The criminal group behind Emotet has added and continuously refined a host of self-propagating features designed to spread the malware deep within compromised networks as well as far and wide externally. The success of these features (more details on them below) has drawn attention from other threat actors, and ultimately contributed to Emotet's transition from standalone threat to thriving distribution vehicle for other banking trojans such as Trickbot, Zeus Panda Banker, IcedID, Qakbot, and Dridex.
Emotet accounted for 57% of all banking trojan payloads in Q1 2018.
The move to distributing other malware has corresponded with a boom in Emotet volume. Following a 2,000% increase in Q4 2017 (Symantec), Emotet officially became the #1 banking trojan in terms of sheer volume the following quarter. According to Proofpoint, it accounted for nearly 57% of all banking trojan payloads during the first three months of 2018.
While Emotet distribution continues to gain popularity and become more widespread, organizations find themselves increasingly at risk. As the US-CERT alert points out, the fast-spreading nature of Emotet infections makes them difficult to combat and expensive to recover from. Remediation costs associated with an Emotet attack on the city of Allentown, PA, for example, were estimated to exceed $1 million.
To help you avoid falling victim to this threat, in this post we'll provide details on how Emotet works, what makes it so dangerous, and what you can do to keep your organization safe.
How Emotet is delivered and deployed
Emotet campaigns are initially kicked off via malspam emails. In many cases, these emails tend to be in line with your typical malspam themes (ex: overdue invoice, PayPal receipt, shipping notification, etc.), but there are also examples of them being tailored to take advantage of specific occasions or events (ex: IRS-themed, July Fourth-themed, etc.).
Emotet malicious Word document distributed via link in IRS-themed email. Source: Brad Duncan
As part of its infection process, however, Emotet also hijacks victims' email accounts and uses them to deliver more malspam emails to to addresses it finds in the victim's inbox and sent folders. As we'll explain in more detail below, this has been an extremely effective tactic for spreading the trojan, as victims are much more likely to open emails from recipients they know and have previously corresponded with.
In addition to linking to malicious Word documents (as shown in the example above), Emotet campaigns regularly attach malicious Word documents directly to emails, instead. In either case, once opened, users are tricked into enabling macros in the Word documents in order to view them. Doing so launches the macro, which in turn launches PowerShell and downloads the Emotet payload. Because Emotet payloads are polymorphic (each one is a modified mutation of previous samples), traditional antivirus solutions often have trouble detecting them.
Barkly provides defense in depth against Emotet by blocking infections at multiple points, including at the earliest possible opportunity — before the Emotet payload can even be downloaded. Click to expand
Once Emotet has been retrieved, it begins deploying itself with two primary goals in mind: achieving persistence and spreading to more machines. This aggressive combination is what makes Emotet infections so damaging and painful to remediate.
Goal #1: Achieving persistence
Creates scheduled tasks and registry key entries
Injects code into explorer.exe and other running processes
Typically stores artifacts in arbitrary paths located off AppData\Local and AppData\Roaming directories and disguises them with names mimicking legitimate executables (ex: flashplayer.exe)
Creates randomly-named files in system root directories (ex: C:\Windows\SysWOW64\f9jwqSbS.exe) that are run as Windows services (these services attempt to propagate via accessible admin shares)
When Emotet lands on a machine it immediately takes steps to ensure it can outlive a reboot and/or various attempts to remove it. In addition to creating shortcuts in the startup folder that point to itself, the trojan creates scheduled tasks and registry key entries to ensure its payload processes get spawned at regular intervals. In one case Barkly investigated, infected machines were spawning new payload processes every 15 minutes.
This poses significant problems for IT or incident response teams charged with remediation — all it takes is one missed artifact to undo previous clean up efforts. Making things more difficult, the scheduled tasks and files associated with Emotet are all either named randomly or after legitimate files and processes, meaning each infected machine will pose its own unique detection challenge.
Goal #2: Self-propagation
As the US-CERT alert explains, the latest version of Emotet uses five different modules designed to help it capture credentials and use them to spread throughout compromised local networks (and beyond).
NetPass.exe: A legitimate utility that recovers all network passwords stored on the system for the current logged-on user. It can also recover passwords stored in credentials file of external drives.
Outlook PST scraper: Collects names and email addresses from victim's Outlook account, uses them to send out more malspam from the victim's now-compromised account.
WebBrowserPassView: Password recovery tool that captures passwords stored by Chrome, Internet Explorer, Firefox, Safari, and Opera.
Mail PassView: Reveals passwords and account details for popular email clients such as Outlook, Windows Mail, Gmail, Thunderbird, Hotmail, and Yahoo Mail.
Credential enumerator: Self-extracting RAR file with two components. The first is a bypass component that enumerates network resources and attempts to gain access to additional machines by a) finding writable share drives using Server Message Block (SMB); or b) brute-forcing connections (in part using credentials gathered by tools listed above). The second is a service component that writes Emotet onto disk once any additional systems have been accessed.
These self-propagating capabilities mean one errant click from a user can result in the infection of entire domains. For organizations dealing with an active Emotet infection, they also mean it's crucial not to use privileged accounts to log in to compromised systems during remediation. Doing so risks accelerating the spread of the infection.
In addition to stealing credentials and other sensitive information, Emotet infections can wreak havoc on network infrastructure and trigger a wide variety of disruption, including account lockouts.
Remediation efforts have cost up to $1 million per incident
In March, the city of Allentown, PA was hit with an Emotet infection that ran rampant through its network, forcing the closure of several public safety operations, putting a freeze on some of the city's financial transactions, and resulting in loss of access to certain law enforcement databases.
The city hired a team from Microsoft for an initial $185,000 emergency response fee, and estimated mitigation and recovery efforts would costan additional $800,000 to $900,000before systems could be completely cleaned and restored.
Turns victims into spammers
Because Emotet hijacks victim email accounts to send out more spam emails, infections also put pressure on compromised organizations to temporarily lockdown accounts or even take email offline. Otherwise, employees can suddenly find themselves having to explain to contacts and clients why they sent them a barrage of malware-laden spam.
As if one trojan wasn't enough to worry about, Emotet has increasingly functioned as a dropper for other banking trojans, including Qakbot, IcedID, and, more recently, Zeus Panda Banker and TrickBot.
Each of these banking trojans have capabilities similar to Emotet, raising the risk of multiple infections gaining persistence, attempting to spread, and triggering collateral damage like account lockouts.
Protecting your organization from Emotet
US-CERT offers several best practice recommendations to help organizations reduce their risk of Emotet infections and limit their effects, including the following:
Barkly blocks Emotet as well as the techniques it relies on to gain and maintain access in the first place (using malicious Word documents, spawning new malicious processes, etc.). That means Barkly customers can rest assured not only does Barkly protect them from Emotet payloads, it also prevents the payloads from even landing on their machines to begin with.