October 3, 2019
Emotet: Back from Summer Vacation

By Ryan Swisher, Threat Hunter

The financial malware Emotet is back after a four-month hiatus. The banking trojan has been around as early as 2014 and has evolved in its delivery by using malicious links in emails, often appearing as a PDF attachment or invoice. Emotet is often packaged with other malware and used to deliver information stealers, credential harvesters, and ransomware. The most recent campaigns starting September 18th were seen delivering Trickbot as the second stage payload.

How does Emotet work?

The “user” is still the most dangerous vulnerability in every organization. Emotet is unique due to the way it spreads and delivers itself to others. The Emotet malware infects a system and leverages emails from the user’s mailbox to craft messages that appear to be replies to legitimate emails. This method makes it harder for email spam filters to detect. Emotet has been seen with the ability to steal mail credentials and self-propagate itself, as well as sending those credentials to other host in the botnet to be used in future campaigns.

What can I do about it?

Organizations should be doing regular testing and training on how to spot and report suspicious emails. Users should be on guard for emails that appear to be replies to older conversations, sent from a strange address, or the context of the original message has changed. It is also critical that leadership enforces strong passwords and MFA when available.

How can CBI help?

CBI leverages the skills of its SOC analysts and threat hunters to actively monitor and respond to current threats across a wide range of industries. By actively monitoring both paid and OSINT feeds, analysts can predict when attacks are coming and what industries are being targeted. Our analysts extract IOCs and continually craft new detection logic to detect these threats as soon as possible. CBI’s cybersecurity professionals strive to be the thermostat and not a thermometer. Thermostats set the temperature (proactive approach) while thermometers tell the temperature (reactive approach).

Ready to learn more about how CBI can help defend you against Emotet and other cyber threats? Contact us today.

About the Author
Ryan Swisher
Threat Hunter, CBI
I Need To...