How the pandemic has reinvigorated Emotet [Q&A]

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has recently put out a warning concerning a surge in activity from the group behind the Emotet trojan.

Emotet has been around for some time and has mostly been associated with banking trojans, but this year’s upsurge in activity has seen it branch out into other areas.

But what's driving these new attacks and how can businesses defend themselves? We spoke to Matt Lock of data security specialist Varonis to find out.

BN: Give us a bit of background on Emotet, what is it and how does it work?

ML: Emotet was first seen in the wild back in 2014, when it primarily operated as a trojan that intercepted banking credentials through man-in-the-browser attacks. The malware has undergone multiple evolutions since it first appeared and has now become something of a general-purpose tool that can be used for several kinds of malicious activity.

The malware is polymorphic, so specific indicators of compromise (IOCs) change frequently. Security solutions that rely on threat signatures related to loader URLs, C2 IP/port combos, and spam templates therefore have an extremely hard time catching Emotet. Added to this, there are also three separate Emotet botnets with their own supporting infrastructure, making it even more difficult to detect.

Once Emotet is inside a network, it can deploy a variety of methods to move laterally, escalate privileges, establish persistence and exfiltrate data. It can also act as an uploader for other payloads such as Qbot and Trickbot.

BN: Do we know who's behind the trojan?

ML: Emotet is known as the signature payload of the threat actor designated TA542, also known as Mummy Spider. Since it first emerged in 2014, TA542 has earned a reputation as one of the most prolific and persistent actors around. Alongside the use of the ever-evolving Emotet malware, the actor has specialized in high-volume global attack campaigns, launching millions of malicious messages that target multiple industries.

After a period of relative quiet, TA 542 is now back with a vengeance, armed with an even more powerful version of Emotet, multiple worldwide botnets, and insidious new techniques exploiting the pandemic.

BN: What's driving the latest wave of attacks?

ML: The latest resurgence of Emotet attacks are heavily centered on the global COVID-19 crisis. Moving on from previous phishing tactics such as fake invoices, TA542 has adapted to exploit fear and uncertainty about the virus, with attacks seen in the wild as early as February. These targeted users across Japan, spreading via emails purporting to be from disability welfare services.

As the year -- and the pandemic -- progressed, the Emotet attacks continued to ramp up and expand globally. Further attacks have been launched via emails impersonating bodies such as the CDC in the United States, usually instructing victims to click a link to access important information about virus cases in their area.

BN: How are the attackers getting into networks?

ML: As with its previous incarnations over the years, Emotet is primarily spread via phishing emails. Three global botnets power the campaigns, each having its own C2 infrastructure, update schedules and malspam templates. The latest wave of Emotet emails contain password-protected ZIP attachments, designed to evade scanning by email filters.

These emails also contain macro-enabled attachments or malicious links that aim to infect victims and conscript them into its army of spamming accounts. HTTP POST requests back to the C2 server will steal the victims' email messages and contact lists, enabling the threat actor to impersonate them and reply to existing email threads with malicious links. This can be done automatically, or the threat actor can take direct control of the account. Either way, this is a powerful and dangerous method for spreading Emotet's reach, as human users and machines will likely be fooled by an email from a trusted party.

Emotet is an extremely versatile tool that can be used for a number of different malicious activities. It boasts a wide array of plugins that can be loaded from the C2 server to extend and adapt its capabilities. For example, attackers can use a lateral movement module to spread via SMB exploits like EternalBlue.

Emotet enables attackers to obtain privileged account credentials via Active Directory or by scouting for passwords saved on the system in plain text. From here, the attacker can undertake any number of actions, including accessing more sensitive data and essential systems, and adding additional users to domain administrator groups.

BN: What steps can businesses take to defend themselves?

ML: Emotet is one of the world's most dangerous and effective cyber weapons. It's also highly adaptable which makes it very difficult to predict how it will be used next. TA542's large and sophisticated network of botnets also means the threat actor has unparalleled reach and is adept at striking huge numbers of global targets in rapid bursts.

That said, while Emotet is formidable, it is not unstoppable. However, organizations need a strong, multi-layered defensive strategy to keep pace with the unpredictable nature of these attacks. Getting the basics right is essential, which includes training end users to spot the warning signs of a phishing email and installing an effective mail filtering solution.

Strong patch management is also essential as it will prevent lateral movement of malware within the network. In particular, organizations must make absolutely certain that no machines are still vulnerable to EternalBlue.

Organizations should also reduce their attack surface where possible, for example proactively identifying vulnerabilities such as unused user accounts, mapping access permissions to data sets and ensuring these are locked down before they can be exploited.

Finally, firms should ensure they are armed with sophisticated detection capabilities to identify anomalous behavior such as a user accessing an unusual amount of data compared to normal. While Emotet has constantly evolved to evade signature-based detection, data-centric monitoring of Active Directory, DNS, VPNs and proxies will aid in detecting signs of Emotet at work.

Image credit: wk1003mike / Shutterstock