Fighting Emotet: lessons from the front line

Thanks to Sophos expert Peter Mackenzie for the research in this article.

Emotet is malware that’s designed to evade detection, dig in hard and multiply.

Thanks to a restless update schedule, a modular, polymorphic design, and its ability to deploy a host of different techniques for worming through networks, the software is a moving, shape-shifting target for admins and their security software.

Over its five-year life, Emotet has evolved from a Trojan that silently steals victims’ banking credentials into a highly sophisticated and widely deployed platform for distributing other kinds of malware, most notably other kinds of banking Trojan.

Emotet arrives on the back of malicious spam campaigns and serves up whatever malware pays. So far this year that’s meant TrickBot and QBot banking trojans, although it’s also been linked with BitPaymer – a strain of sophisticated ransomware that extorts six-figure payouts.

In July 2018, the US-CERT (United States Computer Emergency Readiness Team) issued an alert that described Emotet as:

…among the most costly and destructive malware affecting SLTT [state, local, tribal, and territorial] governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate.

Emotet remains an extremely potent in-the-wild threat, and dealing with it is one of the most difficult challenges facing system administrators and threat hunters.

With that in mind, I sat down with Sophos Global Malware Specialist Peter Mackenzie, to find out what he’s learned from dealing with Emotet outbreaks.

1. Secure all of your machines

Prevention is better than cure, and one of the best preventative steps you can take is to make sure you don’t have any unsecured machines on your network. According to Peter:

Invariably when organizations are hit by Emotet, the source of the infection is an unprotected machine on the network. Customers are often unaware of these devices, let alone any malware that’s on them.

You can use a free network scanning tool to get a list of every active device on your network, and compare this with the ones in your security management console. If you find any unknown devices, get them patched and running up-to-date endpoint protection as quickly as possible.

Unknown, unsecured machines also give Emotet a place to hide and adapt, making a bad situation much worse.

Although it may be confined to the unsecured machine by the security software on your other machines, it will be trying to break free all the time. And because it’s polymorphic, updates itself so frequently (sometimes multiple times a day), and its payloads can switch on a dime, it’s continuously presenting new challenges.

The longer it’s allowed to run through those machinations, the more the risk increases that an update to Emotet, or a change of payload, will find a gap in your armour that allows it to break out and spread through your network.

It’s impossible to predict what will find the gap – perhaps it’ll be a new exploit, or a mutation that hides Emotet from signature based anti-virus temporarily – so defence in depth is crucial, and advanced anti-malware features like deep learning, exploit prevention and EDR give you a significant advantage in containing the outbreak and finding the source.

2. Patch early, patch often

Emotet is a gateway for other malware, so containing an Emotet outbreak doesn’t just mean stopping Emotet, it means stopping whatever it brings with it. Since you don’t know what that will be you have to take the best bang-for-buck precautions you can. Top of the list (it’s a long list, admittedly) should be patching known vulnerabilities.

It might feel like the oldest security advice under the sun but it’s on this list on merit. In the real world, unpatched software is making Emotet outbreaks worse, and harder to contain.

For an example of how that works, just look at EternalBlue, the SMB exploit made famous in 2017 by WannaCry and NotPetya. Almost unbelievably, despite all the headlines, and almost two years after Microsoft issued security bulletin MS17-010 announcing patches that protected against it, malware is still making profitable use of the exploit. One of those pieces of malware is TrickBot, the payload most commonly delivered by Emotet.

Somebody reading this isn’t on top of their patching – don’t let it be you.

3. Block PowerShell by default

Emotet typically arrives in malicious email attachments, and an outbreak often starts like this:

1. A user receives an email with a Word document attached.
2. The user opens the Word document and is fooled into running a macro.
3. The macro triggers PowerShell that downloads Emotet.
4. The Emotet infection begins.

Clearly, a user has to get a few things wrong for this to succeed, so the final piece of advice could easily have been “train your staff not to open dodgy emails or run macros”. It isn’t because, although it’s a great idea, it’s a never-ending journey and only has to fail once.

Something that has a similarly blunting effect on email-borne Emotet, but is easier for admins to implement successfully, is to block their users’ access to PowerShell by default.

We don’t mean block it for everyone – some people need PowerShell – we just mean begin with the assumption that nobody needs it (including admins) and then unblock it for the people that really, provably, do.

And when we say block, we mean block rather than setting a policy to disable it. Policies can be bypassed, so PowerShell should be blocklisted (the Sophos functionality that does this is called Application Control).

You can read more about how Sophos products stop Emotet on our sister site, Sophos News. Sophos has also prepared a Knowledge Base article for its customers: Resolving outbreaks of Emotet and TrickBot malware.