Emotet has a history of disappearing and re-emerging, most notably going underground following a surgical takedown in eight countries that dismantled the world’s most dangerous malware operation in January 2021. International law enforcement, including the Federal Bureau of Investigation (FBI), gained control of Emotet’s infrastructure. This effort involved hundreds of servers located globally by taking it down from the inside and redirecting the infected machines of victims to a law enforcement environment.
Emotet has been linked to many destructive ransomware infections and associated with TrickBot, Dridex, QakBot, Conti/Ryuk, BitPaymer and REvil-associated attacks. The malware, first discovered as a banking trojan in 2014, evolved over time to become the kingpin platform for cyber hijackers.
Emotet was sold as a service to smaller operatives and criminal groups as an access key to compromised systems vulnerable to data theft and ransomware extortion. Following the law enforcement action, the syndicate disappeared for the next 10 months, but beginning in Q1 2022 reappeared with new tactics and targets.
A Deeper Dive Into Emotet
Here’s what’s new with Emotet:
- In March 2022 during U.S. tax season, Emotet was pretending to be the IRS and sent fake tax forms and bogus federal tax returns to victims.
- By July 2022 researchers were reporting Emotet as the top malware threat.
- Cyber researcher AdvIntel observed a total of 1,267,598 Emotet infections worldwide so far this year. Activity from Emotet peaked between February and March 2022, kicking off during the start of the Russian-Ukraine conflict. On August 8, 2022, AdvIntel confirmed that two education entities in Kansas City were infected with the botnet. Additionally, on August 12, 2022, it was confirmed that the botnet infected seven organizations within the financial, legal and manufacturing sectors. The largest organization was a finance firm in India with an annual revenue of $9 million.
- Now that Microsoft has blocked macros by default in Office applications, hackers have pivoted to using HTML application, Windows shortcut LNK and ISO files to gain access to enterprise networks. Moving forward, organizations will need to keep an eye out for those kind of files attached to emails.
How to Guard Against Emotet
According to Avertium's analysis, some actions that can be taken to help prevent these file types are:
- Unregister ISO file extensions in Windows Explorer. Windows won’t recognize the file if it is unregistered, thus preventing users from accidentally executing malware if they click on a malicious file.
- Because phishing is one of the most common ways employees accidentally download malicious files, deploy a secure email gateway to monitor emails for signs of an attack that can filter malicious emails by providing a solution deployed at the mail server.
To further guard against Emotet infection, Avertium offered the following recommendations:
- Block communication to command and control systems to prevent Emotet from dropping payloads on compromised devices.
- Apply security patches to your devices when they are released.
- Provide awareness training for employees regarding the dangers of phishing emails.
- Ensure that your employees are aware of what botnets could look like and how to avoid any links that may be hazardous.
- Work with the right MSSP that is able to consistently monitor and combat vulnerabilities in your attack surface.
- Regularly check schedule backup routines, including integrity checks and/or offsite storage.