Emotet malware was first identified in 2014 as Banking trojan. Emotet has evolved from banking trojan to threat distributor till now. It has hit many organizations very badly in 2018 with its functionalities like spamming and spreading. Further with its widespread rich/existence at many organizations, it became threat distributor. Since mid of 2018, Emotet is used by threat actors to spread other malwares like TrickBot, Qakbot and most dangerous Ryuk ransomware. It has also been observed that it loads modules and launches different malware depending on geographical location i.e. Country of Victim.
Malware authors strategy is to use infected systems for all means like firstly for credential stealing, further use these credentials for spreading and spamming. Finally, when all use of this infected system is done, it deploys other malwares like Ransomware, TrickBot, Qakbot.
From mid of 2018, Emotet has become headache for security providers because of its polymorphic, self-updating and spreading capabilities which makes cleaning of such infected network very complex and sometimes takes months for cleaning.
How it can enter into your system?
It enters into your system by phishing mail as shown in below fig:
Such emails contain malicious attachments like doc, pdf, xls, js, etc. Once user opens such attachment, it will download and launch Emotet. Sometimes such mail may contain malicious links, when opened by users, it downloads and launches Emotet. Other way is through lateral spreading i.e. if one of your friend or colleagues in the same network is infected with Emotet, then your friends’ machine can deploy Emotet on your machine.
What Emotet can do?
It has many capabilities like password stealing, Email Harvesting, spamming, lateral spreading, launching other malwares. All of these are discussed in detail in our research paper on EMOTET.
Impact:
According to US-CERT alert released on July 20, 2018, “Emotet continues to be amongst the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.”
At Quick-Heal labs, we have seen many of our customers are badly affected because of spamming done by emotet. As malware sends many phishing mails to user’s contacts, mail server reaches its maximum limits and blocks user’s account for the day. As a result, most of the employees of such infected organization cannot send mails. Such blockages lead to disruption to regular operations or work and further potential harm to an organization’s reputation. Finally, after a week or two we were able to totally clean total network.
Ryuk ransomware infection may cause temporary or permanent loss of user’s critical data.
What Quick-Heals Telemetry says:
As you can see, number of hits per day are very high from July 2018 till April 19. It indicates how widespread it is. But same is not the case with actual numbers of customer escalations. At quick-heal Labs, even after detecting thousands of samples per day, we received many customer escalations in initial months after outbreak. Further, we added some rules, IOC’s, signatures at each level of Product features namely at Virus Protection, Behavior Detection, Email Protection, Memory scan, IDS & IPS, Machine learning based, Browsing protection. This directly affected in Zero customer escalations for Emotet from last few months with already infected customers also totally cleaned. As stats are indicating that we are detecting thousands of Emotet samples per day in last few months and still NO customer escalation/issue reported.
How can I remove Emotet?
If your machine is in network of any organization, then firstly isolate it immediately. Patch with latest updates of installed software’s and clean the system.
As Emotet can move laterally in network, your machine can be infected again when you reconnect to network. Identify and clean each infected machine in same network. It’s really complex process to follow. One can always choose Quick-heal Antivirus / Seqrite Endpoint Security to avoid this complex process and stay safe with cleaning of already infected machines and proactively blocking against future Emotet infections.
Preventive measures
- Keep your computer up-to-date with the latest updates of Operating system, Security software and other software.
- Don’t open any link in the mail received from an unknown/untrusted source.
- Don’t download attachments received by an unknown/untrusted source.
- Don’t enable ‘macros’ for Microsoft’s office documents.
- Educate yourself and others for keeping strong passwords.
- Use two-factor authentication where-ever possible.
Conclusion:
Stats indicate that we are detecting thousands of Emotet samples per day in last few months and still NO customer escalation/issue has been reported. With this we can say that Quick Heal is able to stop Emotet till today’s date. As its always cat and mouse game between malware and security vendors, we expect evolution of Emotet to next step. We will be continuously monitoring Emotet for future also and will ensure all customers are secured from such malwares.
To read more about the detailed analysis of the Emotet, download this PDF.
Content Courtesy
Bajrang Mane, Security Labs
No Comments