The evolution of Emotet: How to protect your network

With over 350,000 new malware samples emerging every day, it’s difficult for any one strain of malware to make a name for itself. Any single malware sample whose name you know -- be it Mirai, WannaCry, or NotPetya -- speaks to a trail of devastation.

In 2019, people are also hearing another name: Emotet.

But Emotet has been around in one form or another since 2014, and its first major resurgence was in 2017. In the beginning, Emotet was just one trojan among many -- a particularly run-of-the-mill banking trojan that did some damage before being researched, understood, and dismissed in a flurry of signature updates.

With the benefit of hindsight, we can see that Emotet was more than just a one-off virus created by script kiddies. Rather, it was an experiment -- a rough draft created by a formidable nation-state actor or criminal network. In the current spread of Emotet, we see not just a novel malware sample, but an evolution in the way that hackers do business and target victims.

What’s New About Emotet?

Think back to the last time you heard about Emotet in 2017. At that point, while Emotet was a fairly sophisticated piece of malware, it wasn’t doing anything particularly novel. It was a trojan that was sent as a phishing payload, using an email baited with a fake PDF or word document. It was dangerous, but not revolutionary.

Then something changed -- something dramatic. Emotet’s creators kept adding modules and features, and its popularity grew. Emotet is now a licensed product. Its creators barely do any hacking themselves. Instead, they license copies of Emotet to other attackers, who customize it for their needs and use it to launch their own attacks.

As a result of its new features, Emotet has gone from being one threat among many to being the payload in 60 percent of phishing attacks. Emotet in the hands of attackers is like an AK-47 in the hands of insurgent groups -- it’s ubiquitous.

How did it get this way?

Emotet’s New Features Make it A Powerful Weapon

The thing about Emotet is that it isn’t just malware -- it’s a platform. That is to say, it’s relatively modular -- a single sample can deploy multiple exploits, allowing it to circumvent many different detection methods and spread throughout an entire network.

For example, Emotet now contains a worm module. If it’s installed on a vulnerable endpoint, and that endpoint is on a network containing multiple endpoints with the same vulnerability, then Emotet will spread autonomously to all those computers. If those computers are using an unpatched version of SMB (Server Message Block), then Emotet can even deploy a version of the EternalBlue exploit. If the machines are password-protected, then Emotet will employ a dictionary attack against Active Directory to break the passwords and -- you guessed it -- then spread.

With that said, the worst part of Emotet isn’t any of these features. Rather, it’s a new addition that helps it avoid many kinds of common antivirus protections.

Polymorphism -- Self-Mutating Viruses That Avoid Detection

Traditional Antivirus software tends to look for certain malware signatures in order to detect and remove malicious applications. For example, most malware is encrypted to mask its contents, so an antivirus program will look for files with a hash that matches that encryption. Once installed, malware will "phone home" to specific IP addresses for instruction. Antivirus programs are on the lookout -- any program that phones home to a known bad domain will be terminated.

Emotet routinely avoids these detection measures due to a feature known as polymorphism. It changes its own code while achieving the same functionality, so its hash value is different every time. It switches between IP addresses -- and its creators constantly register new IPs. Emotet can even avoid advanced behavioral detection algorithms by going dormant during scans. Not even sandboxing will catch the Emotet malware -- its sandbox detection module will cause the malware to go dormant in virtual environments as well.

How Do You Protect Against Malware That Can’t be Caught?

Although polymorphic malware is hard to detect, there are a few ways to reduce your risk:

• Patch Aggressively:
  Emotet relies on vulnerabilities to spread. A fully-patched computer has few weaknesses where Emotet is concerned, and there are patches available for most of the vulnerabilities that the malware commonly exploits -- including EternalBlue.
• Security Awareness:
  While training isn’t foolproof, keeping your employees aware of the dangers of phishing attacks will substantially -- if not completely -- cut down on your risks.
• Remote Browser Isolation (RBI):
  One way to keep malware off of your computer is by ensuring that no content from the internet touches endpoints. RBI works by having browsing take place in a virtual browser located in a container in the cloud. Only a safe, interactive media stream reaches the user device. Even if a user clicks on a malicious URL, the viral payload remains sealed in the container, which itself is destroyed once the session ends.

Emotet is a serious problem, but it’s not insurmountable. Although Emotet may be an AK-47 for attackers, following these commonsense strategies can render your organization bulletproof.

Image credit: wk1003mike / Shutterstock

Nick L. Kael is Chief Technology Officer (CTO) at Ericom Software. He has over 24 years experience in the technology industry, including 17 in cybersecurity. He is knowledgeable in areas including web technologies, architecture, infrastructure, networking and development environments.