the infamous “Eternal Blue” smb exploit to directly takeover unpatched Windows systems – all without requiring any user clicks or logins.
It is considered by the US-CERT to be one of the most costly and destructive malwares hitting the public sector with its worm-like features making it difficult and expensive to eradicate. A single network eradication effort can cost over 750,000 Euro. Despite its nasty reputation in the public sector, the ongoing wave of Emotet in the DACH region is primarily targeted on consumers.
From a technical perspective, the Emotet emails and their payloads are regularly updated and the malware code itself is highly sophisticated. Emotet is highly dangerous for all devices hardwired to a Local Area Network. By stealing local PC login details from the memory of a single infected device, Emotet is able to infect all PCs in the local network where it can reach, login, and have matching Administrator details (Admin share). If an administrator attempts to clean up an infected machine without first disconnecting it from the LAN where there are other infected machines, a reinfection can happen within seconds.
Emotet is a “dropper” Trojan – it is used to distribute other bits of malware. In the past, Emotet also installed trickbot, a banking/info stealing malware. “While they seemingly separated operations 3-4 weeks ago, we still see Emotet-infected machines that also have trickbot,” said Stefan Kurtzhals, threat researcher at Avira. Trickbot uses process hollowing on the Microsoft OS file “svchost.exe” and spawns several copies to perform various activities. The incorporation of trickbot is an additional headache for remediating infections as trickbot is very aggressive in disabling local security software once it has been able to fully run at least one time.