The threat actors operating the Emotet malware broke its nearly four-month hiatus by launching a spate of malicious spam emails targeting German-, Italian-, Polish-, and English-speaking users.
This wave of Emotet-related spam emails and its related malicious components are proactively blocked by Trend Micro’s machine learning detection capabilities built into Trend Micro solutions. Emotet-related documents embedded with malicious macro are detected as Downloader.VBA.TRX.XXVBAF01FF005 and the loaders as Troj.Win32.TRX.XXPE50FFF031. Samples of Emotet are detected as TrojanSpy.Win32.EMOTET.SMCRS. Heuristic and sandbox detections via the Trend Micro™ Deep Discovery™ solution are HEUR_VBA.O2 and VAN_WORM.UMXX, respectively. Trend Micro’s behavior monitoring technology effectively blocks malicious PowerShell scripts embedded in the macros and prevents Emotet from being executed.
Here’s an overview of this threat and what organizations and users can do to defend against it.
[Trend Micro Research: Prevalence of Emotet in the North American Region]
It’s unclear why Emotet’s operators shut down their operations, although botnets going dark aren’t new. For example, Dridex and Ramnit’s operators are known to slow down their activities during holidays, especially during December and January. Other hacking groups use the hiatus to update their infrastructures, like their command-and-control (C&C) servers.
Researchers have noticed that Emotet’s C&C servers resumed their activities as early as late August, but they were not sending spam emails at the time. Security researcher Raashid Bhat saw Emotet's infrastructures starting to send out spam emails on September 16.
[Technical Analysis: Emotet’s Evasion Techniques]
No, they are different threats. Trickbot, however, is known to be one of Emotet’s many payloads, so their campaigns could overlap. In fact, a malware campaign that targeted companies in the U.S. and Europe last April used a combination of Emotet, Trickbot, and Ryuk to steal credentials and then encrypt files in the affected system.
Like Trickbot, Emotet started off as a banking trojan before transitioning into a modular downloader trojan and botnet malware that it is now known for.
[READ: Emotet’s Modular and Multilayered Operating Mechanisms]
The spam emails contain malicious URLs and are attached with Microsoft Word documents embedded with macro that, when enabled, invokes and launches a PowerShell script that accordingly downloads the Emotet malware from compromised websites. These sites, according to Malwarebytes, were mostly running on the WordPress content management system (CMS). Alternatively, some documents use downloader scripts to retrieve the Emotet malware.
[Trend Micro Midyear Security Roundup: How Messaging- and Spam-Related Threats are Diversifying]
Emotet steals the passwords of applications installed in the infected system, and sends spam emails to its list of contacts. It will also move laterally to infect other systems connected to the network. Perhaps the more significant risk is Emotet’s capability — as a downloader trojan — to execute other payloads.
The malware’s operators are also known for spoofing and hijacking existing or ongoing email threads, embedding malicious URLs or Emotet-laden attachments.
[InfoSec Guide: Mitigating Email Threats]
Emotet also adds the infected system into a botnet, comprising other zombified machines that are then used to distribute more spam emails. Emotet’s operators are also known for selling their botnet as a service and partnering with other cybercriminals and threat actors, enabling the malware to deploy payloads — from ransomware families like Ryuk, Nozelesn, and BitPaymer and information stealers like Ursnif and Dridex, to name a few.
In terms of financial impact, the Cybersecurity and Infrastructure Security Agency (CISA) reported in 2018 that an Emotet-related incident can cost up to US$1 million to remediate.
[Security 101: Fileless Threats that Abuse PowerShell]
Here are some of the best practices businesses and users can adopt to protect against Emotet and other threats that may come with it:
Trend Micro endpoint solutions such as the Smart Protection Suites and Worry-Free Business Security solutions, which have behavior monitoring capabilities, can protect users and businesses from threats like Emotet by detecting malicious files, scripts, and messages as well as blocking all related malicious URLs. Trend Micro Apex One™ protection employs a variety of threat detection capabilities, notably behavioral analysis, which protect against malicious scripts, injection, ransomware, memory and browser attacks.
The Trend Micro™ Deep Discovery™ solution has a layer for email inspection that can protect enterprises by detecting malicious attachments and URLs. It can detect remote scripts even if they are not being downloaded on the physical endpoints. The Trend Micro™ Deep Discovery Inspector solution protects customers from Emotet via this DDI rule:
Updated as of September 18, 2019, 6:45 p.m. PDT to include additional Trend Micro detection/solution.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.