You may have heard of the Trojan Emotet before. Since first appearing back in 2014 stealing banking information, it has evolved into a multi-faceted threat that targets everyone. It uses social engineering through emails to attempt to convince the user to open a Microsoft Word document and run its malicious macros. Even more worrisome is that once Emotet has infected a target, it attempts to take over the victim’s Microsoft Outlook desktop application. If successful, Emotet goes through all sent emails and contacts and send out a new wave of spam emails. Only this time, the potential victims are receiving the message from a trusted email.
A campaign from Emotet over the Christmas season read like a friend sending a friendly season greeting.
Dear <name>,
You make the stars shine brighter and the winter days warmer just by being in my life. Merry Christmas to my favorite person in the world.
Merry Christmas and a wonderful New Year!
Greeting Card is attached
A lovely thing about Christmas is that it’s compulsory, like a thunderstorm, and we all go through it together. Garrison Keillor
While not limited to invoices or Christmas cards, these emails attempt to get the user to click the download link and then to open the document. In the email mentioned above the target may be fooled into thinking that the attached greeting card is legitimate. The document actually contains a malicious macro, an embedded script. While macros were initially designed to help automate keystrokes and mouse movements, they were quickly abused by nefarious virus creators. The infection cannot run on its own as Microsoft has automatically disabled macros more than a decade ago to help stop these malicious scripts. Instead, Emotet uses a few techniques to get the user to re-enable macros. Examples can be seen below.
The picture urges the user to click the Enable Content button, implying that they cannot view the Word document until they do so. You may have already noticed that the bar itself says that macros have been disabled, and the Enable Content button will, in fact, allow them. The moment that Enable Content button is clicked, the macros will start, and in seconds you will be infected. Even worse, in most cases you will have no indication from this point forward that anything is wrong. In one test case we briefly had a command window appear:
This window lasted less than two seconds before disappearing. This attack vector is not unique to Emotet though. In fact, it has been used by a number of ransomware attacks in the past. If you ever see a document you didn’t expect to receive, you should always be extremely cautious with it and you should never enable macros without a very good reason.
How it works
Emotet is an evolving malware that has been known to primarily spread itself through email spam campaigns. Emotet itself does not attempt to do much harm; instead, it opens the door for other malware who pay the doorman on the way in. It achieves this by using what is known as a Command and Control server (C&C): Emotet requests instructions from its C&C server, which issues a new command. This command could be anything from “grab this malware sample and run it” to “tell me what passwords are stored in the user’s browser.” Emotet can receive updates and new capabilities in this way as well, showing that if Emotet has infected your computer or network, it should be removed as quickly as possible.
Emotet doesn’t stop at the first computer infected though. Once it’s on a network, it will attempt to get to all computers it’s connected to through a brute-force attack. Unless strong passwords are enforced on machines and all known vulnerabilities are patched, a single installation of Emotet can cause every computer in the network to become infected. Emotet is often updated with new exploits as they are found, meaning that while it may not be successful at first, it will keep trying until it finds something that does work.
Code
We won’t go into too much depth on the actual code itself, but a brief step-by-step walkthrough can be useful to get a better understanding on how this malware works.
1. In the Word document there is a VBA script that is obfuscated so that you cannot read it at a glance. All this code does is launch a command shell, which then launches PowerShell, a more powerful version of the Windows command shell.
2. Using PowerShell, the script attempts to download the core Emotet payload from a large variety of distribution websites.
3. The randomly named payload will then reach out to the main server and request a command. The command will change based on the campaign that is running —it could go grab new malware or it could attempt to use your own email address as a way to spread itself.
Who is affected
Many people assume that they will not be targets of malware campaigns. Emotet, though, targets everyone equally: it has the simple goal of getting on every machine it can and then getting paid to let other, more targeted malware come in behind it. If your email address has ever been sold, disclosed in a breach, or was on a friend’s email list when they got infected, then it’s possible you will receive a malicious email from them.
Indicators of infection
The main location for the executable is in C:\Users\<name>\AppData\Local\ and then whatever new name Emotet decides to use. One we have seen often is archivessymbol, but this will change. If you see something in this folder you don’t know about, it’s important to run a scan.
Versions of Emotet can also drop files onto your computer in C:\Users\Public or C:\Users\<username>:
These files generally have 5-6 randomly generated numbers in the file name, followed by .exe. These are not actually executable files, but HTML documents that are used to generate revenue for the Blackhat’s by simulating clicks on web advertisements.
What you can do
If you or someone you know is infected with the Emotet malware, download SUPERAntiSpyware Professional right now and get a 14-day free trial, no credit card required. SUPERAntiSpyware is easy to install and will detect and remove Emotet from any Windows computer.
If you are a Computer Technician, you may like to try our SUPERAntiSpyware Tech Edition solution, now free for the next 30 days. Use Tech01 as the Tech ID. Click here: https://www.superantispyware.com/technician-download.html
Emotet has also been known to exploit a vulnerability in Windows called EternalBlue. Microsoft has issued a patch for this, and applying this patch can help protect you from Emotet as well as other malware who utilize this exploit.
HOW TO REMOVE EMOTET
- Restart the infected computer in safe mode without networking
- Search through the Indicators of infection and investigate any files/folders you do not recognize. You can run the file through SUPERAntiSpyware or online through VirusTotal.com to confirm that it is malware.
- Delete files and folders that have been confirmed as malware.
- Repeat steps 1-3 on all other machines in the network.
- Restore all infected computers to normal mode only after confirming the infection is removed.