Blog

Emotet Dominates the Threat Landscape in 2019

First discovered in 2014, Emotet is among some of the most destructive malware which has continued to threaten users through its worm-like abilities, polymorphic features, and five scrupulous spreader modules. Created as a banking Trojan which stole data by intercepting internet traffic, the malware started evolving in its new versions and is presently known to have the ability of downloading and dropping other malware in the form of banking Trojans or spam delivery services.

Operated by a group called Mealybug, Emotet is known to have combined with Trickbot and Qakbot which has helped the notorious malware to become more aggressive and also expand its reach thus becoming a threat for individuals as well as businesses. Incidents of Emotet infection can run up costs of over $1 million in the cleanup.

Germany suffers the highest number of Emotet attacks (30.77%) with US users not very far behind (22.53%). With new evasion techniques, the malware is beginning to target users in more and more countries and even explore new targets in various industries.

How Does It Work?

The infection process mostly starts with something as basic as a phishing email. Since it will use familiar branding along with links that may appear important, like a link to track a parcel or a link to open an invoice or show your payment details.The malware travels to your computer through a malicious script or link or a macro-enabled document.

One of the dangers stemming from this malware is that it avoids detection and analysis in the following ways:

• Its polymorphic nature helps it escape signature-based detection.
• It detects virtual machines and is known to remain dormant in sandbox environments.

At this time, Emotet uses the following 5 spreader modules:

• NetPass.exe – The tool can recover all network passwords stored on a system including the recovery of passwords which are in the credential files of external drives.
• Outlook Scraper – It ransacks the outlook account to recover emails and names which are used for sending spam through your email address. Since the recipients feel that the emails are coming from you, they are more likely to open and click on a malicious link.
• Credential Enumerator – This self-extracting RAR file consists of two components, namely, the bypass component and the service component. The bypass component looks for writable share drives with the help of Service Message Block. It may also end up utilizing brute force attack trying to use a list of common passwords to gain access to other computers on the network. If it manages to enter the administrator account, then the service component is written on the system and Emotet houses itself on the disk. This can create serious breaches and may result in the infection of an entire domain.
• WebBrowserPassView – It is used for recovering passwords stored on popularly used web browsers which are transferred to the credential enumerator.
• Mail PassView – It is employed for recovering the passwords and email accounts on various email clients which are transferred to the credential enumerator.

Emotet is also known to spread without human interaction using the Eternal Blue vulnerabilities,which are known to be utilized for the WannaCry attack.

Using Malware Database as a Preventive Measure

As attacks from Emotet become more complicated, and the malware in itself has evolved as a downloader and dropper and also featured in synergy with other malware, awareness becomes extremely important. Databases play a significant role in making security systems aware of known threats that can be blocked. You will find a number of malware databases which provide information on malicious IP addresses, URLs and domains.

By looking up domains on malware databases before connecting with them or by using malicious URL lists, you can block these threats, defend your network and reduce the risk of unwanted infection by Emotet and other known malware. Such measures can help small and big businesses to reduce the risks of both threats and costly attacks. 

In its most recent form, Emotet is known to be able to intercept emails to include malicious content. Its disruptive abilities and continual updates have made it difficult to trace. This is why it is important that you use databases which are regularly updated and boast a reputation of including the maximum number of malware on its list.

However, checking and authenticating malware databases can be quite cumbersome and in order to facilitate this task, we provide Domain Malware Check API which checks various major malware databases to see if a domain is blacklisted or considered dangerous, i.e. related to a malware distribution network or hosts a malicious code. It is a comprehensive tool to protect users, networks, and servers from all sorts of malware attack and threat. It helps security analysts save a lot of time because there is no need to perform searches manually from multiple sources.

Emotet’s worm-like abilities make it challenging for organizations to contain the infection. Since the network gets infected without human interaction, network operators have to be extremely vigilant and most employ defensive systems that can guard the network against single point failures.