You may have heard of the Trojan Emotet before, first appearing back in 2014 stealing banking information, it has since evolved into a multi-faceted threat that targets everyone. It uses social engineering through emails to attempt to convince the user to open a Microsoft Word document and run its malicious macros. Even more worrisome is that once they have infected a target, they attempt to take over the victims Microsoft outlook desktop application. If successful Emotet will go through all sent emails and contacts, before sending out a new wave of spam emails. Only this time it will be from a trusted email. A campaign from Emotet over the Christmas season reads like a friend sending a friendly season greeting.
You make the stars shine brighter and the winter days warmer just by being in my life. Merry Christmas to my favorite person in the world.
Merry Christmas and a wonderful New Year!
Greeting Card is attached
A lovely thing about Christmas is that it’s compulsory, like a thunderstorm, and we all go through it together. Garrison Keillor
While not limited to invoices or Christmas
cards, these emails attempt to get the user to click the download link and then
to open the document. In the email mentioned above the target may be fooled
into thinking that the attached greeting card is legitimate. The document actually contains a malicious
macro, an embedded script. While macros were initially designed to help automate
keystrokes and mouse movements, they were quickly abused by nefarious virus
creators. The infection cannot run on its own as Microsoft has automatically disabled
macros more than a decade ago to help stop these malicious scripts. Instead, Emotet
uses a few techniques to get the user to re-enable macros. Examples can be seen
The picture urges the user to click the
Enable Content button, implying that they cannot view the Word document until
they do so. You may have already noticed that the bar itself says that Macros
have been disabled and the enable content button will in fact allow them. The
moment that Enable content is click the macros will start and in seconds you
will be infected, even worse in most cases you will have no indication from
this point forward that anything is wrong. In one test case we briefly had a
command window appear:
This window lasted less than two seconds before disappearing. This attack vector is not unique to Emotet though. In fact, it has been used by a number of ransomware attacks in the past. If you ever see a document you didn’t expect to receive, you should always be extremely cautious with it and you should never enable macros without a very good reason.
How it works
Emotet is an evolving malware that has been
known to primary spread itself through the use of email spam campaigns. Emotet itself does not attempt to do much
harm, instead it opens the door for other malware who pay the doorman on the
way in. It achieves this by using what is known as a Command and control server
Emotet will request instructions from its control server who will issue a new
command. This command could be anything from grab this malware sample and run
it to tell me what passwords are stored in the user’s browser. Emotet can also
receive updates and new capabilities in this way as well, showing that if
Emotet has infected your computer or network it should be removed as quickly as
Emotet doesn’t stop at the first computer infected though, once it’s on a network it will attempt to get to all computers it’s connected to through a brute-force attack. Unless strong passwords are enforced on machines and all known vulnerabilities are patched, a single installation of Emotet can cause every computer in the network to become infected. Emotet is often updated with new exploits as they are found, meaning that while it may not be successful at first it will keep trying until it finds something that does work.
We won’t go into too much depth on the actual code itself, but a brief step-by-step walkthrough can be useful to get a better understanding on how this malware works.
1. In the Word document there is a VBA script that is obfuscated so that you cannot read it at a glance, all this code does is launch a command shell which then launches PowerShell, a more powerful version of the Windows command shell.
2. Using PowerShell, the script attempts to download the core Emotet payload from a large variety of distribution websites.
3. The randomly named payload will then
reach out to the main server and request a command. The command will change
based on the campaign that is running, it could go grab new malware or it could
attempt to use your own email address as a way to spread itself.
Who is affected
Many people assume that they will not be targets of malware campaigns, Emotet though targets everyone equally, it has the simple goal of getting on every machine it can and then getting paid to let other, more targeted malware come in behind it. If your email address has ever been sold, disclosed in a breach, or was on a friend’s email list when they got infected it’s possible you will receive a malicious email from them.
Indicators of infection
The main location for the executable is in C:\Users\<name>\AppData\Local\ and then whatever new name Emotet decides to use. One we have seen often is archivessymbol but this will change. If you see something in this folder you don’t know about, its important to run a scan.
Versions of Emotet can also drop files onto
your computer in C:\Users\Public or C:\Users\<username>:
These files generally have 5-6 randomly generated numbers in the file name, followed by .exe. These are not actually executable files, but HTML documents that are used to generate revenue for the Blackhat’s by simulating clicks on web advertisements.
What you can do
If you or someone you know is infected with the Emotet malware download SUPERAntiSpyware Professional right now and get a 14 day free trial, no credit card required. SUPERAntiSpyware is easy to install and will detect and remove Emotet from any Windows computer. If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech01 as the Tech ID. Click here: https://www.superantispyware.com/technician-download.html
Emotet has also been known to exploit a vulnerability in Windows called EternalBlue. Microsoft has issued a patch for this, and applying this patch can help protect you from Emotet as well as other malware who utilize this exploit.
HOW TO REMOVE EMOTET
- Restart the infected computer in safe mode without networking
- Search through the Indicators of infection and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
- Delete files and folders that have been confirmed as malware.
- Repeat steps 1-3 on all other machines in the network.
- Restore all infected computers to normal mode only after confirming the infection is removed.