Not rendering correctly? View this email as a web page here.
9-1-1 Cyber Alert
Alert: Emotet - Old Malware Gets a New Face

Emotet first hit networks back in 2014 as a dropper for Banking trojans. However, more recently it appears that the group responsible for the malware has been doing a lot of development and has turned Emotet into an end-to-end service for malware delivery.

Once inside the network, Emotet is extremely annoying to deal with as it has multiple ways of automatically spreading throughout the network and maintains persistence through registry keys and startup tasks. It spreads with credentials/emails harvested with: NetPass.exe, Outlook scraper, WebBrowserPassView, Mail PassView, and Credential enumerator. Additionally, it has been observed dropping supplemental malware that spreads through a modified version of one of the leaked NSA exploits – essentially it uses SMB to force the Domain Controller to download and execute a malicious file. If the 2017 ms17-010 patches have been applied, this SMB exploit should not work.

The easiest place to stop this malware is at the initial infection attempt. The initial infection is spread through malspam that contains a malicious pdf or a macro enabled word document which uses either JavaScript (in the case of the pdf) or PowerShell (in the case of the word document) to download the Emotet executable.

Some things you can do to guard against this malspam is to have strong spam-filters in place on both inbound and outbound emails, as well as “mark[ing] external emails with a banner denoting it is from an external source. This will assist users in detecting spoofed emails” (us-cert.gov). End user training can also be very effective at stopping these attacks before they even start.

NOTE: If you are dealing with an active infection, the easiest thing to do is isolate, wipe, and reimage the infected systems. It is essential that privileged accounts are not used to log in to compromised systems during remediation as this may accelerate the spread of the malware – remember it spreads using harvested credentials. If you do have to log into the system, make sure the system is taken off the network beforehand and that it isn’t allowed to reconnect until the system has been reimaged.

Additional resources:

Detailed info with mitigation and remediation tips:

https://www.us-cert.gov/ncas/alerts/TA18-201A

Example malicious traffic analysis:

https://www.malware-traffic-analysis.net/2018/09/05/index2.html

https://www.malware-traffic-analysis.net/2018/09/04/index2.html

https://www.malware-traffic-analysis.net/2018/08/17/index.html 

Stay cyber-safe,

SecuLore Support Team
  

SecuLore Solutions is a Public Safety company focused on cybersecurity - if you have concerns about your network, please contact us at info@SecuLore.com or visit us at www.SecuLore.com

Follow us on Twitter Follow us on Linkedin Follow us on Facebook