Emotet continues to move amidst the almost costly as well as destructive malware affecting SLTT governments. Its worm-like features resultant inward speedily spreading network-wide infection, which are hard to combat. Emotet infections convey toll SLTT governments upwardly to $1 ane thou 1000 per incident to remediate.
Emotet continues to move amidst the almost costly as well as destructive malware affecting SLTT governments. Its worm-like features resultant inward speedily spreading network-wide infection, which are hard to combat. Emotet infections convey toll SLTT governments upwardly to $1 ane thou 1000 per incident to remediate.
Emotet is an advanced, modular banking Trojan that primarily functions equally a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that tin evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys as well as services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve as well as update its capabilities. Furthermore, Emotet is Virtual Machine-aware as well as tin generate faux indicators if run inward a virtual environment.
Emotet is disseminated through malspam (emails containing malicious attachments or links) that uses branding familiar to the recipient; it has fifty-fifty been spread using the MS-ISAC name. As of July 2018, the almost recent campaigns copy PayPal receipts, transportation notifications, or “past-due” invoices purportedly from MS-ISAC. Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro-enabled Microsoft Word document included inward the malspam. Once downloaded, Emotet establishes persistence as well as attempts to propagate the local networks through incorporated spreader modules.
Figure 1: Malicious electronic mail distributing Emotet
Currently, Emotet uses 5 known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, as well as a credential enumerator.
- NetPass.exe is a legitimate utility developed past times NirSoft that recovers all network passwords stored on a organization for the electrical current logged-on user. This tool tin also recover passwords stored inward the credentials file of external drives.
- Outlook scraper is a tool that scrapes names as well as electronic mail addresses from the victim’s Outlook accounts as well as uses that information to ship out additional phishing emails from the compromised accounts.
- WebBrowserPassView is a password recovery tool that captures passwords stored past times Internet Explorer, Mozilla Firefox, Google Chrome, Safari, as well as Opera as well as passes them to the credential enumerator module.
- Mail PassView is a password recovery tool that reveals passwords as well as draw concern human relationship details for diverse electronic mail clients such equally Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, as well as Gmail as well as passes them to the credential enumerator module.
- Credential enumerator is a self-extracting RAR file containing 2 components: a bypass element as well as a service component. The bypass element is used for the enumeration of network resources as well as either finds writable part drives using Server Message Block (SMB) or tries to fauna strength user accounts, including the administrator account. Once an available organization is found, Emotet writes the service element on the system, which writes Emotet onto the disk. Emotet’s access to SMB tin resultant inward the infection of entire domains (servers as well as clients).
Figure 2: Emotet infection process
To hold persistence, Emotet injects code into explorer.exe as well as other running processes. It tin also collect sensitive information, including organization name, location, as well as operating organization version, as well as connects to a remote command as well as command server (C2), unremarkably through a generated 16-letter domain advert that ends inward “.eu.” Once Emotet establishes a connector amongst the C2, it reports a novel infection, receives configuration data, downloads as well as runs files, receives instructions, as well as uploads information to the C2 server.
Emotet artifacts are typically found inward arbitrary paths located off of the AppDataLocal as well as AppDataRoaming directories. The artifacts unremarkably mimic the names of known executables. Persistence is typically maintained through Scheduled Tasks or via registry keys. Additionally, Emotet creates randomly-named files inward the organization origin directories that are run equally Windows services. When executed, these services endeavor to propagate the malware to following systems via accessible administrative shares.
Note: it is essential that privileged accounts are non used to log inward to compromised systems during remediation equally this may accelerate the spread of the malware.
Example Filenames as well as Paths:
C:Users<username>AppData LocalMicrosoftWindowsshedaudio.exeC:Users<username>AppDataRoamingMacromediaFlash Playermacromediabinflashplayer.exe
Typical Registry Keys:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunHKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftWindowsCurrentVersionRunHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
System Root Directories:
C:Windows11987416.exeC:WindowsSystem3246615275.exeC:WindowsSystem32shedaudio.exeC:WindowsSysWOW64f9jwqSbS.exe
