A new wave of Emotet Trojan malware is hitting Europe and the DACH region with the Avira Protection Lab recording over 3.6 million detections so far in 2018. Usually disguised as a phishing email, the latest variants of this Trojan have been fine-tuned to slip past the user defenses and worm their way into Local Area Networks. Even worse, the personal data stolen during this ongoing attack can be used to create ever-more detailed and targeted phishing emails.
Fine-tuned phishing distribution
Emotet is usually distributed by phishing emails such as fake PayPal messages or even as fake security announcements. The latest Emotet phishing emails appear to be using the email addresses exfiltrated from the inboxes of infected users – resulting in finely-tuned emails with a high trust factor.
“These emails look legit, the writing and structure is correct both in English and in German,” said Mikel Echevarria-Lizarraga, Malware analyst in the Avira Protection Lab. “This is way more targeted than the traditional Nigerian princess scam.”
A fast introduction to Emotet
The Emotet Trojan is a banking malware that steals user credentials, passwords, and email lists while also bringing in additional malware into the infected systems. The initial infection happens when a user opens or clicks on the malicious link, PDF, or a macro-enabled Microsoft Word document included in the phishing email. Emotet then digs into the device and will spread to additional devices within the local network. Emotet also uses the infamous “Eternal Blue” smb exploit to directly takeover unpatched Windows systems – all without requiring any user clicks or logins.
It is considered by the US-CERT to be one of the most costly and destructive malwares hitting the public sector with its worm-like features making it difficult and expensive to eradicate. A single network eradication effort can cost over 750,000 Euro. Despite its nasty reputation in the public sector, the ongoing wave of Emotet in the DACH region is primarily targeted on consumers.
Highly infectious on a network
From a technical perspective, the Emotet emails and their payloads are regularly updated and the malware code itself is highly sophisticated. Emotet is highly dangerous for all devices hardwired to a Local Area Network. By stealing local PC login details from the memory of a single infected device, Emotet is able to infect all PCs in the local network where it can reach, login, and have matching Administrator details (Admin share). If an administrator attempts to clean up an infected machine without first disconnecting it from the LAN where there are other infected machines, a reinfection can happen within seconds.
On and off again partners in crime
Emotet is a “dropper” Trojan – it is used to distribute other bits of malware. In the past, Emotet also installed trickbot, a banking/info stealing malware. “While they seemingly separated operations 3-4 weeks ago, we still see Emotet-infected machines that also have trickbot,” said Stefan Kurtzhals, threat researcher at Avira. Trickbot uses process hollowing on the Microsoft OS file “svchost.exe” and spawns several copies to perform various activities. The incorporation of trickbot is an additional headache for remediating infections as trickbot is very aggressive in disabling local security software once it has been able to fully run at least one time.
- Be extremely careful with opening email attachments – even those from known sources.
- Review your updates – Are devices – particularly those with Windows 7 – fully updated?
- Cleanup carefully – To clean up an Emotet/trickbot infected system, it is strongly recommended to use tools like Process Explorer or Process Hacker to find suspect processes and terminate them.
- Detach from the LAN – disconnect machines from the LAN during the cleanup process to avoid reinfection.
- Look out for GDPR – At the company level, the Emotet theft of email details also raises the specter of a mandatory GDPR announcement to authorities about a breach of private data.
- Even worse, the personal data stolen during this ongoing could be used to create ever-more detailed and targeted phishing emails.
- These emails look legit, the writing and structure is correct both in English and in German