SECURITY ADVISORY : Heightened threat from a very damaging infection

November 2018

As a specialist in investigating and responding to cybersecurity incidents, Forensik is concerned about a marked increase, over the last 3 months, in a threat that has already affected a number of our clients, seriously impacting the availability of their systems and their ability to conduct their business.

A number of our clients have struggled with a highly virulent piece of malware: the Emotet virus. We have observed an increasing infection rate among our clients, and we would like to inform you through this advisory of the short-term security measures we recommend to prevent the propagation of this virus.

What is Emotet?

Emotet is not new to cybersecurity, but it continues to be one of the most costly and destructive types of malware, affecting governments as well as organizations in the public and private sectors.

Why is it particularly virulent?

Emotet is a rootkit type Trojan horse, referred to as polymorphic, i.e. it

  1. can avoid detection based on the signatures of current antivirus software;
  2. has multiple ways to maintain itself in contaminated computer systems;
  3. continually and dynamically evolves;
  4. can generate false “indicators” to hide from system administrators;
  5. spreads through a computer network by “stealing” system administration accounts.

How does Emotet propagate itself?

Emotet is primarily spread via infected emails, through phishing (emails containing malicious attachments or links). The initial infection usually happens when a user opens or clicks on a link to a malicious download, a PDF document or a Microsoft Word document with an email attachment macro extension.

Once it has been downloaded, Emotet becomes established and attempts to propagate itself through local networks using propagation modules incorporated in the malware.

Once a system has been infected, what are the possible impacts?

Unfortunately, the news is not particularly comforting. Currently, no organization in the world has managed to find a simple, effective method to deal with this all too well-designed virus. The problem lies in the fact that because it is polymorphic and highly persistent, rooting it out is like a game of whack-a-mole. Every time you think it’s been eliminated, it resurfaces in a different form.

As a result, at the moment once you’ve been infected, your primary focus should be containing the infection, analyzing your network and, unfortunately, reinstalling your systems.

Why should you be concerned?

Emotet is particularly dangerous when it “finds” a computer network with a poor level of security, which is still the case with many organizations, large and small, even in 2018.

As explained earlier, Emotet propagates itself via emails from one organization to another. So if the measures recommended below are not in place in your environment, it just takes one user inadvertently clicking on an infected email and your organization is at very high risk.

An Emotet infection can have disastrous consequences for you because it takes control of your network quickly once it is installed on one of your devices. Infections typically last for weeks, interfere with your business during that time, and require an enormous amount of work to be rooted out.

So it is in your interest to be well prepared.

What should be done to prevent an infection?

To prevent an infection, we recommend that you take a number of simple measures, if they have not already been taken in your organization. Although they aren’t absolutely fail-safe, they could save you from a large-scale infection.

Since the internal propagation method used by Emotet is largely based on capturing passwords from local system administrator accounts, it is important to take the following basic measures in your environments:

  1. Be able to filter incoming emails against phishing attempts. Many platforms allow you to filter emails with a very high success rate.
  2. As much as possible, deactivate Office macros on workstations. This can be done via GPO, Powershell or even a VBScript. You can find documentation on this here.

Once this is done, some documents may be unusable if they contain macros. In that case, they will need to be handled as exceptions.

  1. Make sure local administrator accounts have different passwords for each Windows system in your environment. This slows propagation between systems. A number of different methods can be used to put this type of measure in place, including commercial PAM solutions or Microsoft’s free solution for Windows systems: Local Administrator Password Solution (LAPS).
  2. Make sure operating systems are up to date and the latest security patches are installed.
  3. Make sure you have recent, regular offline backup copies of your systems and critical data. Don’t forget that Active Directory is a critical system and should be backed up.
  4. Have a local firewall configured on your systems to limit unusual connections between them. For example, it isn’t normal for workstations to communicate with each other. Also, your organization’s servers should not be able to communicate directly with the Internet.

Although these measures are essential and it’s important to put them in place, they cannot prevent all intrusions. Effective security depends on integrating measures into all layers of your systems.

You will therefore also need to consider a long-term action plan. We urge you to consider implementing the 20 critical security controls recommended by the SANS Institute and the CIS.

The CIS Critical Security Controls for Effective Cyber Defense

The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. A principal benefit of the Controls is that they prioritize and focus a smaller number of actions with high pay-off results. The Controls are effective because they are derived from the most common attack patterns highlighted in the leading threat reports and vetted across a very broad community of government and industry practitioners. They were created to answer the question, “what do we need to do to stop known attacks.” That group of experts reached consensus and today we have the most current Controls.

What should be done in the event of an infection?

If you haven’t had time to implement the recommendations listed above and think you’ve been infected, here are our recommendations:

  1. disconnect from the network every device you think may have been compromised;
  2. contact our incident management centre;
  3. reset the passwords of users who have recently logged in on infected devices;
  4. reinstall a clean version of the operating system on the targeted devices;
  5. carefully monitor all activity on your network;
  6. ask the users of compromised devices to reset the passwords for their personal accounts that have been used on those devices – or on any devices – starting with highly sensitive accounts such as bank accounts, social media, etc.

For network administrators:

Currently, Emotet uses five known modules to propagate itself:

  • exe: a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the user who is currently connected. This tool can also recover passwords stored in the credentials file of external drives.
  • Outlook scraper: a tool that extracts the names and email addresses from the victim’s Outlook accounts and uses that information to send additional phishing emails from the compromised accounts.
  • WebBrowserPassView: a password recovery tool that captures the passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari and Opera and sends them to the credential enumeration module.
  • Mail PassView: a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail and Gmail and sends them to the credential enumeration module.
  • The credential enumerator: a self-extracting RAR file containing two components: a bypass component and a service component.

The bypass component is used to identify network resources. It looks for sharing units that are writable via SMB (Server Message Block) or tries to break passwords from user accounts by force, including the administrator account. Once an available system has been found, Emotet writes the service component onto the system, which writes Emotet onto the disc. Emotet’s access to SMB can lead to the infection of whole domains (servers and clients).

How can Forensik help you?

In the event of an incident, our response team is trained and equipped to react. Just like responders in a medical emergency, we deal with this type of situation on a regular basis. Our experts can:

  1. take charge of the situation and provide you with step-by-step guidance to deal with the infection;
  2. provide you with the specialists and equipment needed to resolve the incident;
  3. provide you with the benefit of many years of experience in responding to incidents both major and minor.

Our team uses key expertise, equipment and processes in cybersecurity, malware analysis and surveillance to help you take back control of your network.

We work closely with your internal team and regular IT partners to maximize your own technology skills and knowledge of your systems.

How can In Fidem help you?

Forensik’s parent company, In Fidem, specializes in information security management. Our approach is to ensure that cybersecurity is integrated into your organization’s vision and strategy, so that it is as agile as the threats it faces and as ambitious as the growth you are looking for.

Our experts can:

  1. assess the effectiveness of your existing security measures;
  2. advise you on improving your security measures to reduce your risks;
  3. support you in implementing security measures tailored to your needs.

Adopt the In Fidem approach: see cybersecurity as a PERFORMANCE accelerator.

For more information on this subject: