SECURITY ALERT: Emotet Infected A Large Danish Company

[harlan4096]

Emotet Attacks Don’t Seem to Be Stopping Anytime Soon

Recently, a large Danish company was hit by Emotet, a highly popular and dangerous type of malware, which is causing extensive and disruptive incidents. Emotet acts as a downloader/dropper, with multiple features, and in many cases, plants a secondary payload (for instance, the TrickBot data stealer, which can, later on, initiate ransomware payloads within a Windows network).

How does Emotet work?

Since its arrival in 2014, it transitioned from a banking Trojan that stole credentials from infected hosts to a loader, a malware that gains access to a system and then allows the download of additional payloads. Secondary payloads could be any type of executable code, from Emotet’s own modules to malware developed by other cybercriminals.

The Emotet gangs have used this malware to create a botnet, which is being sold as Malware-as-a-Service. Once they are infected, new machines are added to the Emotet botnet and on all these corrupted computers, the Emotet malware serves as a downloader for other attacks.

Emotet is known to offer modules capable of scraping passwords from local applications, extend laterally to other machines on the same network, and even capture entire email threads in spam campaigns for later reuse.

Some of the most famous users of Emotet are the Bitpaymer and Ryuk ransomware strains operators, who have often shown connections to Emotet infected hosts and affected corporate networks or local governments. Ryuk ransomware was the most common strain that infected the organizations that paid the highest ransoms of 2019.

Emotet seems to shut down its command & control servers periodically, only to return with new methods of propagation, social engineering campaigns, banking trojans, and ransomware.

Currently, we’ve spotted yet another Emotet incident, that according to our sources, has infected a major Danish company.

How this new malicious campaign infects victims with Emotet

After a break during which Emotet has expanded and improved its dropper and infrastructure, it is now back on track.

“Invoices” or “balance inquiries” in the form of Word documents are added as email attachments or download links are included in the email body. All of these documents are, of course, malicious.

Emotet runs on three separate botnets: Epoch 1, Epoch 2, and Epoch 3.

Below you can find a few examples that illustrate how dynamic the payload is:

Epoch 1:

doc_20200202_S [5 digits] .doc

doc_20200202_S [5 digits] .doc

Epoch 2:

BAL_PO_01312020EX.rtf

V_PO_01312020EX.rtf

Epoch 3:

INVOICE OQR988_ [8 digits] .doc

invoice-YSTW3153_8 digits] .doc

Also, 35 out of 56 engines on Virus Total indicate that these files are indeed malicious:

The documents are polymorphic and change both in size and content. If the macro execution is allowed, it will drop Emotet.

The heatmap below illustrates the location of the Emotet tier-1 C&C servers. There are currently 379 active servers.

Our MailSentry and Thor Foresight Enterprise users are protected from these unwanted emails. As always, Heimdal Security blocks these malicious domains.

How to protect your organization from Emotet

Without a doubt, your workforce should be your first layer of defense. Thus, your employees must develop the highly valuable skill of identifying suspicious emails, not opening them, and not clicking on fishy links. So, user training definitely is your first step towards digital safety.

Yet sometimes, the human factor can make your company vulnerable from within. For instance, an employee could accidentally click on an infected link and allow malware to infiltrate your organization, or fall prey to a spear-phishing attack and contribute to the increasing number of business email compromise (BEC) victims. Therefore, you also need to start using the right tools to protect your organization and increase your overall defense.

Conclusion

Emotet is certainly one of today’s largest and most dangerous malware botnets, that can lead to serious damage. Any company or organization should be vigilant and not postpone the creation of a solid cybersecurity strategy.

Stay safe!
...

Continue Reading