Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Emotet Malware

 

Systems Affected


Network Systems

Threat Level


High


Overview


Emotet is an advanced, modular banking Trojan that is costly and destructive and primarily functions as a downloader or dropper of other banking Trojans. Due to its self-replicating features it rapidly spreads and infects network-wide and therefore, difficult to combat.


Description


Emotet spreads through phishing emails containing a malicious attachment or a malicious link pointing to malicious document which is used to download the payload. Once downloaded, it checks whether it is running in a sandboxing environment or not. If it is running in a sandbox then it will not proceed further.

If not as the further execution, to maintain persistence, Emotet injects code into explorer.exe and other running processes. It can also collect sensitive information, including system name, location, and operating system version, and it starts building a connection with its command and control server. Once the connection is established, it reports a new infection, receives configuration data, downloads and runs files, receives instructions, and uploads data to the C2 server

Emotet establishes persistence and attempts to propagate the local networks through incorporated spreader modules. Currently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator


Impact


  • Temporary or permanent loss of sensitive or proprietary information
  • Disruption to regular operations
  • Financial losses incurred to restore systems and files
  • s reputation.


Solution/ Workarounds


  • Use antivirus programs, with automatic updates of signatures and software, on clients and servers
  • Apply appropriate patches and updates immediately.
  • Consider blocking file attachments that are commonly associated with malware, such as .dll and .exe, and attachments that cannot be scanned by antivirus software, such as .zip files.
  • Provide employees training on social engineering and phishing.
  • Advise employees not to open suspicious emails, click links contained in such emails, not to open attachments in suspicious emails or post sensitive information online, and to never provide usernames, passwords, or personal information in answer to any unsolicited request.
  • s website directly through browser.
  • Adhere to the principal of least privilege, ensuring that users have the minimum level of access required to accomplish their duties.


References


https://www.us-cert.gov/ncas/alerts/TA18-201A
http://www.cert-in.org.in/
https://www.zdnet.com/article/banking-malware-finds-new-life-spreading-data-stealing-trojan/


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.