Anti-Phishing, DMARC , Cybercrime , Cybercrime as-a-service

Emotet Malware Alert Sounded by US Cybersecurity Agency

Must-Have Defenses Include Detecting Infections and Lateral Movement, CISA Says

The U.S. Cybersecurity and Infrastructure Security Agency on Wednesday warned that it's seen a surge in targeted attacks using a sophisticated strain of malware called Emotet.

See Also: Rapid Digitization and Risk: A Roundtable Preview

"Heads up! We're tracking a spike in Emotet and re-upping defensive guidance," Chris Krebs, CISA's director, said on Wednesday.

While Emotet started life as a banking Trojan, over the past five years, developers have added additional functionality, including making the malware a dropper - aka downloader - so that it can be used to install additional malicious code on endpoints it's infected, as well as giving it the ability to scrape victims' PCs for contact information. In addition, other attackers have increasingly rented Emotet botnets to install other malware, including Trickbot and various strains of ransomware.

Now, CISA says it's seeing a fresh surge in attacks.

"The Cybersecurity and Infrastructure Security Agency is aware of a recent increase in targeted Emotet malware attacks," its Emotet alert reads. "Emotet is a sophisticated Trojan that commonly functions as a downloader or dropper of other malware. Emotet primarily spreads via malicious email attachments and attempts to proliferate within a network by brute-forcing user credentials and writing to shared drives. If successful, an attacker could use an Emotet infection to obtain sensitive information. Such an attack could result in proprietary information and financial loss as well as disruption to operations and harm to reputation."

Heads up! We're tracking a spike in #Emotet and re-upping defensive guidance. https://t.co/1j4D3rdms3 — Chris Krebs (@CISAKrebs) January 23, 2020

CISA's alert points to the U.S. Department of Homeland Security's Emotet guidance issued in July 2018, which describes additional risks posed by the malware.

"Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial governments, and the private and public sectors," CISA says. "Its worm-like features result in rapidly spreading network-wide infections, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate."

Emotet infection process (Source: CISA)

Emotet now has many tricks up its sleeve. For example, one Emotet module gives attackers the ability to grab the first 8 KB of every email in a victim's email inbox and send it back to the botnet's command-and-control server, according to security firm Secureworks.

Attackers then use the stolen data to craft socially engineered spam. "Emotet's reuse of stolen email content is extremely effective," according to security firm Cisco Talos. "Once they have swiped a victim's email, Emotet constructs new attack messages in reply to some of that victim's unread email messages, quoting the bodies of real messages in the threads."

8 Essential Defenses

As a first step for guarding against Emotet, CISA recommends all organizations put in place these defenses:

Secure: Use anti-virus software and have a formal patch management program in place;

Use anti-virus software and have a formal patch management program in place; Block: Block email attachments commonly associated with malware (such as .dll and .exe files) and any attachments that cannot be scanned by anti-virus software (such as .zip files);

Block email attachments commonly associated with malware (such as .dll and .exe files) and any attachments that cannot be scanned by anti-virus software (such as .zip files); Manage: Implement Active Directory Group Policy Object and firewall rules;

Implement Active Directory Group Policy Object and firewall rules; Filter: Implement filters at the email gateway, and block suspicious IP addresses at the firewall;

Implement filters at the email gateway, and block suspicious IP addresses at the firewall; Restrict: "Adhere to the principle of least privilege," CISA says, adding that "it is essential that privileged accounts are not used to log in to compromised systems during remediation as this may accelerate the spread of the malware";

"Adhere to the principle of least privilege," CISA says, adding that "it is essential that privileged accounts are not used to log in to compromised systems during remediation as this may accelerate the spread of the malware"; Authenticate: Implement DMARC, an email validation system designed to protect organizations from spoofing;

Implement DMARC, an email validation system designed to protect organizations from spoofing; Segment: Segment and segregate networks and functions;

Segment and segregate networks and functions; Restrict: Block unnecessary, lateral communications in networks.

Emotet: Infecting Systems Since 2014

Researchers say Emotet, first seen in the wild more than five years ago, continues to be primarily spread via spam. In its early days, this involved malicious JavaScript attachments, before attackers later switched to using Office documents with malicious macros to get the malware onto victims' systems.

"The Emotet banking Trojan was first identified by security researchers in 2014," according to security firm Malwarebytes. "Emotet was originally designed as a banking malware that attempted to sneak onto your computer and steal sensitive and private information. Later versions of the software saw the addition of spamming and malware delivery services - including other banking Trojans," such as Trickbot.

For at least the first half of 2019, Emotet was the most-seen type of nontargeted malware in the wild, followed by Trickbot (see: Malware Most Foul: Emotet, Trickbot, Cryptocurrency Miners).

More recently, other attackers have been renting Emotet's botnets to not just infect systems with Trickbot, but also crypto-locking malware such as Bitpaymer and Ryuk (see: Ransomware 2.0: Cybercrime Gangs Apply APT-Style Tactics).

Expert: Trace Back Emotet Outbreaks

British security expert Kevin Beaumont says any organization that suffers an Emotet infection should not just remediate it, but attempt to follow it back to its source.

"Both Emotet and Trickbot have huge reach inside western organizations with ongoing infected PCs inside firewall boundaries," Beamount tweeted earlier this month.

"Something organizations need to do - and this is easier said than done - is investigate why malware got to PCs rather than just let AV remediate," he says. "If you're seeing Emotet reach PCs and later get cleaned - or you're not sure when they got infected - something is wrong."

Security experts say that being able to block malware such as Emotet will protect an organization not just against banking Trojans, but also many of the top attack tactics being practiced by both today's more advanced cybercrime gangs as well as nation-state attackers.

"If you want a playbook for how to defend your network against infection and lateral movement by a sophisticated attacker, detect and defend against Emotet," Microsoft's Jessica Payne, a security researcher who works with its Windows Defender team, says via Twitter. "The mitigation and investigation techniques line up across multiple adversary sets and have remarkable return on investment."

If you want a playbook for how to defend your network against infection and lateral movement by a sophisticated attacker, detect and defend against Emotet. The mitigation and investigation techniques line up across multiple adversary sets and have remarkable Return on Investment. — Jessica Payne (@jepayneMSFT) January 2, 2019

Krebs: Act Now

Pointing to Payne's post, CISA's Krebs notes that creating a proper defense against Emotet offers a payoff that "is much bigger than one malware campaign."

Krebs says these types of defenses are especially important to have in place as tensions with Iran continue and U.S. organizations face an increased risk of getting hit by Iranian hackers potentially wielding wiper malware (see: Analysis: Threat Posed by Pro-Iranian Hackers).

"Post-Iran flare-up, this is a smart investment of time, effort and money," he says. "Take advantage of heightened awareness of executives to get the punch list closed out."