December 2019 Update
Threat Overview and Analysis
Emotet Activity at UW
Actions and Recommendations
Emotet is a malware “Swiss Army Knife,” offering a wide variety of attackers a number of methods of infection and subsequent actions. It is frequently used in mass malicious email campaigns, as well as for highly targeted attacks. Once a target is infected with Emotet, the malware’s operators may use it to download additional malicious payloads for the purposes of credential stealing, banking fraud, ransomware, and more.
CISO Office staff recently observed indicators of a wide range of Emotet activity on campus networks. This report briefly describes the Emotet malware, the latest activity on campus, and its potential threat to the University.
Threat Overview and Technical Analysis
What is Emotet?
Emotet first appeared as an opportunistic banking trojan in mid‑2014. It has evolved beyond its original design and now largely functions as a first‑stage malware infection and spreading utility affecting organizations and users around the world. Once the malware compromises a device, the device is sent instructions from Emotet’s command and control (C2) infrastructure, which typically involves downloading a second‑stage payload specific to the effect the attacker hopes to accomplish.
Attackers use Emotet for a variety of purposes. Fraudsters use Emotet to deliver banking trojans such as TrickBot, Zeus Panda, and IcedID. Extortionists use it to deliver ransomware such as RYUK and UmbreCrypt. Attackers seeking to limit their exposure may install cryptocurrency mining software or sell compromised systems to botnet operators. Some attackers use Emotet to further nation state goals. The malware has been used in highly targeted spear phishing, likely by nation state attackers where successful compromise would likely lead to surveillance or intellectual property theft.
Emotet is most commonly delivered through email sent in a shotgun approach to a large number of recipients. Researchers have observed a variety of lures used to convince users to open attachments or click links. These lures include forged messages apparently from common carriers (e.g. USPS, FedEx), payment services (e.g. PayPal), and in highly targeted campaigns, senders and topics familiar to the recipients. Infections occur when users open Microsoft Office documents containing macros or RTF files containing PowerShell scripts, or click on links to the malware. Emotet also leverages the Windows file sharing protocol, Simple Message Block version 1 (SMBv1), to spread by 1) using ETERNALBLUE to compromise vulnerable network systems; 2) placing infected files on mounted shares; and 3) attempting to guess user credentials.
Emotet uses mutation and anti‑analysis mechanisms that complicate identification by antivirus and analysis by security researchers. For example, if a sandbox is detected, the malware will produce false indicators of compromise. Emotet developers use stolen code‑signing certificates to bypass controls that limit which applications can run on a target device. The latest version includes an “Outlook Scraper” module that extracts and exfiltrates the victim’s sender address, contacts, and six months of stored emails. This information can be used to craft convincing lures to spear phish colleagues for surveillance or intellectual property theft. Emotet uses a complex and decentralized C2 infrastructure that updates constantly as compromised hosts are discovered and remediated.
“Reply-to” Malware Lures (updated 12/9/19)
Data collected from the Outlook Scraper module added to Emotet in October 2018 initially went unused by Emotet operators. In November 2018, researchers noted Emotet lures spoofing the sender address and sender name of previously compromised users being sent to accounts the compromised user had previously corresponded with. In April 2019, researchers noted new Emotet email lures taking the tactic a step further: fake replies to old correspondence were forged using the body of previously stolen messages. Emotet lures now appear to be sent from a known account on a topic that is familiar to the recipient. The forged messages include a link which downloads an Emotet-infected Office document.
Emotet Activity at UW
From network flow monitoring of known Emotet C2 infrastructure, CISO staff can provide estimates of the quantity and frequency of new Emotet infections at the University. At least seven unique IPs communicated with known Emotet C2 infrastructure on one day in late August, dropping to an average of two per day through the first two weeks of September. A lull ensued, which may indicate a drop in threat activity or Emotet infrastructure change.
Reports of Emotet‑styled email increased during the week prior to Thanksgiving, including a Thanksgiving‑themed holiday greeting message. Netflow analysis from the week of November 22 to November 28 shows thirty‑seven new unique IPs contacting known Emotet C2 infrastructure, exhibiting a resurgence of the malware’s activity on campus. Activity peaked on November 22, with eleven unique IPs contacting the infrastructure. At this time there do not appear to be any critical systems at the University infected with Emotet.
Scanning by computers on UW’s private networks for Windows File Sharing running on other computers on the networks is ongoing, though it is not known whether this activity is related to Emotet infections. The University blocks vulnerable services at the network border, including SMB; however, compromised devices within the network may still try to abuse these services and scan for vulnerabilities internally.
Organizational Impact. Emotet can negatively impact organizations in a variety of ways, including: reputational harm, downtime for critical systems, sensitive data exfiltration, and permanent data loss. Emotet has been used in several recent high‑profile attacks against a wide variety of institutions, particularly of concern are the frequent attacks against State, Local, Tribal, and Territorial institutions.
- In an October 2018 attack against the Jacksonville, North Carolina Water and Sewer Authority, an initial Emotet infection that officials believed they remediated was used to drop a second‑stage ransomware, Ryuk. The infection quickly spread throughout the utility’s networked devices, encrypting crucial systems and databases. Utility employees received communication from the attackers demanding a ransom in return for decrypting their devices. Officials refused to pay any ransom, and remediation efforts for the attack are ongoing.
- In a November 2018 attack against the city of Quincy, Massachusetts, all city devices were taken offline for five days while city employees remediated the pervasive infection, severely impairing the city’s services. Additionally, Quincy’s email infrastructure was used to send large amounts of Emotet infected spam from the official city domain, causing city officials to dissuade residents from opening emails supposedly sent by them.
UW Users Potential Impact
Users should anticipate receiving Emotet malware in attachments to email appearing to be from a variety of senders, including suppliers, research sponsors, external collaborators, and other University employees. Lures typically appear as orders or shipping confirmations, delivery status updates, invoices, and holiday greetings. Messages may appear to be from a source targeted users trust, so it is important to think twice before opening attachments or following links in email messages. Email recipients should call the sender to confirm the message validity if in doubt. Users who are compromised with Emotet will likely have their Outlook information exfiltrated and used to spread Emotet further. Messages may purport to be sent by the compromised user to their contacts, or by one contact to another from the compromised address book. Users may experience unexpected bounce messages, and replies from colleagues asking if they truly sent a suspicious message.
Actions and Recommendations
Actions by the Office of the Chief Information Security Officer:
- Disseminate relevant updates regarding Emotet behavior, attacker targeting, and impact to UW.
- Block communications with Emotet C2 infrastructure, maintain up‑to‑date signatures in the campus Intrusion Prevention System.
- Advise department IT staff in Emotet incident response.
Recommendations for Department IT Staff:
- Educate end‑users about the threat posed by Emotet. Users should question the validity of messages claiming the attachment contains (or the URL leads to) a shipping update, invoice, order confirmation, holiday greeting, etc., verifying with the sender prior to opening.
- Note that border protections, such as blocking vulnerable services and utilizing intrusion prevention systems, provide a layer of security, but do not eliminate the threat. Assume that at any time, at least one campus device is compromised by Emotet.
- If practical, disable SMBv1 on all networked devices; use SMBv2 or SMBv3.
- In an Active Directory environment, use Group Policy to restrict inbound SMB connections between client systems.
- If practical in your environment, disallow execution of Office macros by Group Policy.
- Apply the patch for MS17‑010.
- Identify signs of infection on a device by monitoring device services, registry modifications, and scheduled tasks that may be associated with Emotet.
- Deploy antivirus software on all devices and configure automatic updating.
- If an Emotet infection is suspected:
- Isolate the system by taking it off the network.
- Review the system for Emotet indicators of compromise. If indicators are present, continue.
- Review network and mail logs to determine extent of potential compromise.
- Determine whether the system stored or processed confidential information.
- Create a list of system users.
- Determine whether system user email accounts contained confidential information.
- Review mail rules for unauthorized changes.
- Notify the Office of the CISO at firstname.lastname@example.org.
- When instructed to do so by the Office of the CISO, rebuild the system from pre‑infection backup.