Throughout 2019, the Emotet trojan gained increasing notoriety for spreading malicious emails, while also being blamed for helping to deliver ransomware like Ryuk.
In more recent campaigns, Emotet operators crafted very ingenuous phishing emails with an invitation to contribute to the menu of an upcoming Christmas party. In another invitation, Emotet jumped on people’s aspiration to support Greta Thunberg, Time Person of the Year 2019, by calling on readers to join in a demonstration against inaction on climate change.
Interestingly, Emotet also appears to have some steam to blow off with ESET. The Emotet writers, on occasion, drop comments into their code seemingly either venting their frustration at ESET or perhaps even a kind of temporary elation:
Emotet seems to have some beef with ESET it seems :) pic.twitter.com/zSzz5r4Jhd
— Myrtus (@Myrtus0x0) November 20, 2019
(image above) ESET’s detection technologies have been consistently blocking Emotet and all its variants, which could certainly elicit this kind of rude remark.
For businesses, the crafty social engineering tactics employed by Emotet could cause concern about the cyberawareness of your employees and conversely the robustness of your security systems. According to recent research from Virus Bulletin, Emotet can still bypass a number of email security products on the market. “Emails containing Emotet-infected malicious attachments continued to be the most difficult to block,” said the report from Virus Bulletin.
(image below) Fortunately for business users of ESET Mail Security for Microsoft Exchange Server, VBSpam testing shows that ESET has the highest spam, phishing and malware detection rates with the lowest false positive rate among competitors:
(image below) These are especially important metrics and necessary for businesses to assess their protection in the face of ongoing campaigns by Emotet. ESET LiveGrid® detections of Emotet from September to December 2019 showed a rising trend:
Layered protection in action
This telemetry data is a good indicator of the level of protection that devices protected by ESET enjoy against Emotet by detecting and blocking it before any possible compromise.
It should be kept in mind that simply receiving an email and downloading an attached Word document – one of Emotet’s methods to gain access to your device – does not necessarily mean your computer is compromised. The default security setting when opening email attachments is to use a “Protected View” with macros disabled, rendering the attachment innocuous.
But, to gain a better understanding of how ESET detects and blocks Emotet, let’s take a deeper dive.
The detection of a malicious attachment can be done even when it is unopened (depending on the level of its obfuscation) through sandbox analysis and a query of its reputation. ESET LiveGrid® collects suspicious samples submitted by millions of ESET-protected endpoints from around the world for machine learning analysis in the cloud. The collected knowledge from any detections is then shared via the ESET LiveGrid® Reputation System to keep users protected from threats detected in other parts of the world.
In the case of Emotet, if a user should open a malicious attachment and mistakenly enable macros, a set of PowerShell commands runs that attempt to contact compromised domains in order to download another malicious file. The malicious behavior displayed by such macro code can be detected and monitored thanks to security layers such as ESET’s Host-based intrusion prevention system (HIPS) and DNA detections.
HIPS is a behavior-based detection framework built into many ESET products that provides advanced capabilities to monitor low-level API calls for suspicious behavior that should be further inspected or blocked.
(Image below) In concert with ESET DNA detection technology, which provides the “genes” characteristic of malicious behavior, HIPS is able to block Emotet quite effectively.
Businesses have the advantage of being able to bypass entirely the need for employees’ machines ever to deal with Emotet-laden emails by beefing up network defenses with ESET Dynamic Threat Defense, which can test for malicious files in a cloud sandbox within minutes and thus prevent the initial entry of malware into a network.
These are only some of the security layers that ESET’s advanced solutions include and that are making the work of cybercriminals behind campaigns like Emotet more difficult. Have no doubt that Emotet made a return in 2019; businesses should look to raise their security maturity in the face of a rising trend into 2020.
You can obtain the latest Emotet malware IoCs, including compromised domains and C&C server addresses, by subscribing to ESET Threat Intelligence (ETI) services, which collects data from over 110 million sensors worldwide.