New Emotet Report Details Threats From One of the World’s Most Successful Malware Operations

Emotet is an advanced, modular banking Trojan originally discovered in 2014. It was first documented in 2015 by FortiGuard Labs’ own Joie Salvio, who was at Trend Micro at the time. In its original configuration, its primary function was to steal financial information. Since then, however, it has evolved into what the US Department of Homeland Security has labeled as one of the most costly and destructive malware systems in the world, costing victims up to $1 million per incident for remediation.

Emotet has remained highly active since its initial release, and its daily activities are constantly being documented by researchers and first responders worldwide to understand the latest additions and attack methodologies the Emotet authors continue to add to its toolkit. While it was originally designed as a simple banking trojan, Emotet now functions as a polymorphic malware that efficiently drop additional malicious content – such as AZORult, IcedID, ZeuS Panda, and TrickBot – using its worm-like capabilities.

It is also able to evade typical signature-based detection. The first iteration of Emotet relied on corrupting the registry of a targeted devices, and it continues to do so as an effective method of evasion, as any exfiltrated data is encrypted and stored in the registry. Not only is this strategy highly effective in thwarting discovery, it allows the attackers to maintain persistence on a targeted machine due to the complexity of finding any indicators of compromise.

FortiGuard Labs Releases New Emotet Playbook

Because of its persistent evolution, the FortiGuard Labs SE Team has developed a new playbook focused on a recent Emotet attack campaign. While this playbook is not meant to be an exhaustive analysis of Emotet, it provides valuable information for detecting, understanding, and addressing some of its more recent iterations.

Emotet is generally spread through spam and phishing attacks that use branding familiar to the recipient, such as imitating receipts, shipping notifications, or “past-due” invoices. However, a new Emotet phishing strategy uses stolen email threads, not just passive email addresses. It then inserts an infected reply into an active thread disguised as coming from one of the participants. This strategic shift has proven to not only be exponentially more effective than traditional phishing attempt, but even more successful than targeted spearphishing tactics. 

Initial infection occurs when a user opens or clicks on a malicious download link, PDF, or macro-enabled Microsoft Word document included in the email. Once downloaded, Emotet establishes a persistent foothold on a compromised device and then attempts to propagate across the network through its spreader modules.

Taking things even further, Emotet developers have now launched a unique Malware-as-a-Service (MaaS) offering that rents access to the millions of devices already infected with the Emotet trojan. Because Emotet is especially effective at delivering malicious payloads, attackers using this new malware-as-a-service offering can insert additional malware into targeted networks previously infected with Emotet.

Because of its sheer number of attacks, and large footprint of infected devices, this current campaign is operating on a massive scale – while also being run with the precision of a well-disciplined enterprise. Based on the profile of some of its development and attack strategies, it is entirely possible that the developers and leaders behind the Emotet malware may have previously been professionals in the information security space. And due to the resources required to sustain and support such an endeavor, they may also have the backing of a successful criminal enterprise.

Organizations Need to Take this Campaign Very Seriously

Due to the sheer number of samples being seen on a daily basis in this latest global campaign, and the growing volume of network IOC’s being recorded by researchers and organizations tracking Emotet worldwide, there is little doubt that this latest iteration may end up being one of the most impactful malware campaigns of our time. What may have started out as a “simple” banking Trojan, is today not only one of the most dangerous and complex attack systems of recent memory, but it has also managed to beat the odds by persistently evolving with the times, allowing it to remain highly relevant for the past four years – which is a lifetime when it comes to modern malware campaigns.

Protections

Fortinet has AV coverage in place for all 16 samples described in the latest playbook on Emotet:

Malicious Word Documents
VBA/Agent.3862!tr.dldr
VBA/Agent.NVE!tr
VBA/Agent.F3D4!tr.dldr

Emotet
W32/GenKryptik.DUMV!tr
W32/Packed.FVW!tr
Malicious_Behavior.SB
W32/Kryptik.GXIK!tr
W32/GenKryptik.DVLJ!tr

Trickbot
W32/Kryptik.GWZG!tr

In addition, all network IOCs have been blacklisted by the FortiGuard Web Filtering client. 

Find out more about the latest iterations of Emotet in our new playbook.

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolioSign up for our weekly FortiGuard Threat Brief.

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.

http://feeds.feedburner.com/fortinet/blog/threat-research