Emotet Malware

[#if smallImage??]
    [#if smallImage?is_hash]
        [#if smallImage.alt??]

Emotet—a sophisticated Trojan commonly functioning as a downloader or dropper of other malware—resurged in July 2020, after a dormant period that began in February. Since August, emotet increase in malicious cyber actors targeting state and local governments with it's phishing emails. This increase has rendered Emotet one of the most prevalent ongoing threats.

To secure against Emotet, implementing the mitigation measures described in this Alert, which include applying protocols that block suspicious attachments, using antivirus software, and blocking suspicious IPs.

Emotet is an advanced Trojan primarily spread via phishing email attachments and links that, once clicked, launch the payload (Phishing: Spearphishing Attachment).

The malware then attempts to proliferate within a network by brute forcing user credentials and writing to shared drives (Brute Force: Password Guessing,Valid Accounts: Local Accounts, Remote Services: SMB/Windows Admin Shares.

Emotet used compromised Word documents (.doc) attached to phishing emails as initial insertion vectors. Possible command and control network traffic involved HTTP POST requests to Uniform Resource Identifiers consisting of nonsensical random length alphabetical directories to known Emotet-related domains or IPs with the following user agent string (Application Layer Protocol: Web Protocols).

Traffic to known Emotet-related domains or IPs occurred most commonly over ports 80, 8080, and 443. In one instance, traffic from an Emotet-related IP attempted to connect to a suspected compromised site over port 445, possibly indicating the use of Server Message Block exploitation frameworks along with Emotet (Exploitation of Remote Services).

Consider applying the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes prior to implementation to avoid unwanted impacts.

Block email attachments commonly associated with malware (e.g.,.dll and .exe).
Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
Implement Group Policy Object and firewall rules.
Implement an antivirus program and a formalized patch management process.
Implement filters at the email gateway, and block suspicious IP addresses at the firewall.
Adhere to the principle of least privilege.
Implement a Domain-Based Message Authentication, Reporting & Conformance validation system.
Segment and segregate networks and functions.
Limit unnecessary lateral communications.
Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Enforce multi-factor authentication.
Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
Enable a firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
Monitor users' web browsing habits; restrict access to suspicious or risky sites.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
Scan all software downloaded from the internet prior to executing.


Most Viewed Assets