Emotet is Back: Stopping Malware with Endpoint Management

As Emotet came back into the news this August, making headlines as a new wave of attacks hit companies around the world after months of silence. What exactly is Emotet? And how does it really impact your organization? Better still, in light of this latest resurgence, how can you defend and protect your IT infrastructure against it?

To build a greater awareness of this news-making malware, we’ll delve into a description of how it works, and some key remediation techniques to defend against it.

What is the Emotet Malware?

Emotet was first a banking trojan malware, active since at least 2014 and – as we’ve seen – is still in action from time to time. It might be seen in other field of malware, like Ransomware, because other programs can be included with it to have even greater impact. In fact, one of the aspects that makes of this wave of malware particularly unique is that, after infecting a computer, an embedded binary may exhibit the behavior of other types of malwares such as ransomware, crypto lockers, and wipers, and can inflict even greater damage to the target.

Banking trojans are complex software that can extract banking data of users in a variety of ways:

  • Keyboard logging: useful for recording passwords on sensitive websites,
  • Screen recording: to obtain a password entered with a virtual keyboard, as bank websites often use,
  • Website hooking: features which can be activated only when the user is visiting a given website (e-commerce or bank) where banking data are used,
  • Remote control: the extracted data is sent to a server controlled by the attacker in order to re-use them quickly. This server can also be used to update the list of websites to watch or to exploit other vulnerabilities to gain more privileges on the targeted computer.

The complexity of Banking trojans is also evident the way they can be spread to be the most effective in infecting users. Typically they are distributed as innocuous-seeming email attachments:

  • Office files with macros: Microsoft Word (.doc and docx) and Excel (.xls and xlsx) are documents commonly shared between colleagues and arouse little suspicion. An attacker can easily then send these disguised files containing macros (scripts executed upon opening the document) in hopes that the user will open the file and activate the scripts.
  • Binary with false filenames: sometimes filenames can be cropped to remove their extensions (for example, a file named myBill.pdf.exe is shown as myBill.pdf on Windows Explorer) and can be falsely mistaken for a normal file when it is, in fact, a binary that will launch when clicked.

In the case of Emotet, the office macro is used to generate an executable and launches it to execute a PowerShell script with the hidden parameter (to hide the PowerShell window). Once a computer is infected, the malware will try to replicate on computers that are sharing the same network by exploiting common unpatched vulnerabilities.

Prevention: Beyond Anti-Virus

There are two main strategies to prevent such attacks, and which can be used in tandem to complement one another.

A traditional solution of an antivirus will have a database of signatures (binaries hash or IP addresses, for example) that will be matched to every launching binary in order to block the ones that will share elements with Emotet. WALLIX BestSafe takes another approach, as it proactively blocks unexpected user behavior rather than reacting once a process is already underway. For instance, the office application Microsoft Word would not usually be expected to start a PowerShell script, so a generic rule can be implemented to block PowerShell from having Word as parent. Even if an unsuspecting user clicks, downloads, or opens a malicious file, no attack is launched.

More generally, WALLIX BestSafe is an Endpoint Privilege Management (EPM) software which aims to control the processes running on a computer and adapt privileges as necessary to follow the Least Privilege model for users and administrators. It also features a “blacklist/whitelist blocking process” that helps to block malicious processes from ever running, regardless of user privileges.

Thanks to two endpoint management rules, BestSafe is able to stop Emotet’s dangerous exploits:

  • Prevent the vulnerable process used in this attack (wmiprvse.exe) from launching PowerShell commands: The payload will not be downloaded on the target.
  • Prevent the “hidden” function of PowerShell: The hidden parameter lets the script execute without having to open a PowerShell window. This behavior is not common in normal executions.

Users don’t have time to wait 2 minutes to check if every file is safe before proceeding with their work. Global rules reduce this overhead by distinguishing acceptable and suspicious, disallowed actions, and streamlining analysis and automatic termination.

Rules are created in the “privilege rules” window:

Parents that are not allowed to execute PowerShell are added in the Rule Properties section under Parent Processes:

BestSafe will then apply these rules in order to block the process and the attack.

Like most subjects in cybersecurity, malware detection is a fight between security and usability. Users need to maintain flexibility and efficiency, unburdened by slow or restrictive security procedures, but IT teams and organizations need to protect corporate data and infrastructure.

With WALLIX BestSafe’s game-changing approach to Endpoint Privilege Management, you achieve the perfect balance of security and productivity. No waiting for antivirus scans, no helpdesk overloaded with support requests. Global rules make automatic detection and prevention of malware – including the infamous Emotet – simple and efficient.