US joint technical alert warns of self-propagating trojan
A malware program that infects entire networks by dropping a variety of trojans onto compromised devices is evolving, the Department of Homeland Security (DHS) has warned.
Emotet, a trojan horse that has been around since 2014, deploys several malicious modules after gaining access to a device, typically through a phishing email containing a payload.
The malware then spreads over the network using a variety of techniques aimed at stealing information and carrying out distributed denial of service (DDoS) attacks with the infected machines.
These include modules such as NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and credential enumerator, which allow Emotet to spread rapidly and additionally evade multiple security features without detection.
There have also been reports of ransomware being utilized with Emotet, according to the cybersecurity firm Symantec.
“The main component of Trojan.Emotet functions as a loader, and can theoretically support any payload. While it is still primarily known for distributing banking trojans, it can in theory spread any threat, and there have been reports of it distributing the Ransom.UmbreCrypt ransomware,” the Symantec security response team wrote in a recent blog post.
“It delivers the threats, obfuscates them to reduce the chances of detection, and provides a spreader module that allows the threats to self-propagate.”
Emotet has predominately been found to target banking customers in Germany and Switzerland, but more recently the computer network of the city of Portsmouth in New Hampshire fell victim to an attack perpetuated by the program, resulting in over $156,000 in damages.
Symantec said that Mealybug, the cybercrime group purportedly behind Emotet, now appears to be distributing the malware program to other threat actors as a bespoke service.
The DHS, which released a joint technical alert with the National Cybersecurity and Communications Integration Center (NCCIC) on Friday, has said that every incident involving Emotet had cost state, local, tribal, and territorial (SLTT) governments up to $1 million in recovery to date.
Its use of Dynamic Link Libraries (DLLS) makes it particularly dangerous as this permits the malware to update its capabilities.
The DHS said: “Emotet artifacts are typically found in arbitrary paths located off of the AppData\Local and AppData\Roaming directories. The artifacts usually mimic the names of known executables. Persistence is typically maintained through Scheduled Tasks or via registry keys.
“Additionally, Emotet creates randomly-named files in the system root directories that are run as Windows services. When executed, these services attempt to propagate the malware to adjacent systems via accessible administrative shares.”
Both Symantec and the DHS have recommended practices to mitigate the risks associated with Emotet, including antivirus programs that automatically update signatures and software, setting a Windows Firewall rule to restrict inbound SMB communication between client systems, and using an email gateway to filter out suspicious emails.
If your organization has been infected, take the infected machines off the network immediately and do not attempt any logins.