First identified in 2014, Emotet has continued to infect systems and compromise users until now, which has kept it in the news far longer than other threats from the same year.
The last version of Emotet was seen back in February, when it was distributed across WLAN networks, highlighting how this malware had evolved from a banker Trojan aimed at stealing financial details to a global threat to all users.
Now, this polymorphic malware, which is able to adapt itself every time it is downloaded in order to evade detection, is once again on the rampage after five months in hiding.
Criminals are again using email as an attack vector
In this latest reappearance, Emotet has returned to one of its favorite attack vectors: a massive spam campaign with malicious links or attachments. Looking back over its history, malspam has been the prime channel through which Emotet has spread. Malware hacks your contact list and sends itself out to all your friends, associates, relatives, etc. As these emails come from your address, they don’t appear to be spam, and the recipients will be likely to feel safe when clicking the links or downloading infected files.
What are the files like? Once again, the attackers sent thousands of emails with invoices, reports, delivery receipts, and even job offers.
Who do these emails target? The messages are mainly sent out to companies, and once a system is infected, it is often used to continue sending out these messages to the contacts in the address book.
One characteristic of Emotet is that it downloads several modules that allow it to launch a wide variety of malicious actions, especially on corporate networks. These include lateral movement across systems on the same network, theft of credentials and cookies stored in browsers, theft of bank credentials and credentials for remote desktop applications such as OpenSSH, VNC and Putty, and the theft of databases belonging to Windows Active Directory services.
Moreover, current versions of Emotet incorporate the option to install other malware on infected devices. This malware can also include other banker Trojans or malspam delivery services. Until a few months ago, the Ryuk ransomware was typically used, although since its reappearance, Emotet has spread other malware on networks, such as Conti. Criminals can thereby steal confidential information and demand a ransom.
How to protect against Emotet
- The disabling of macros by default in Office programs is an effective security barrier to prevent this type of malware from spreading relentlessly.
- Keep your devices up-to-date with the most recent patches for Microsoft Windows. Emotet can exploit the Windows EternalBlue vulnerability, so ensure this backdoor is not open on your network.
- Awareness: Employees are often the weakest link in the cybersecurity chain. As such, it is vital to teach them how to recognize phishing emails. Don’t download suspicious files or click suspicious links.
- Create strong passwords, starting with using two-factor authentication.
- Another essential measure to protect against this type of advanced threat is a cybersecurity solution. Panda Adaptive Defense includes technologies designed specifically to detect advanced threats like Emotet.