Endpoint Management, Risk Management

Emotet is Back: Stopping Malware with Endpoint Management

As Emotet came back into the news this August, making headlines as a new wave of attacks hit companies around the world after months of silence. What exactly is Emotet? And how does it really impact your organization? Better still, in light of this latest resurgence, how can you defend and protect your IT infrastructure against this threat?

To build greater awareness of this news-making malware, we’ll delve into a description of how it works, and some key remediation techniques to defend against it.

What is the Emotet Malware?

Emotet was first a banking trojan malware, active since at least 2014 and – as we’ve seen – is still in action from time to time. It might be seen in other fields of malware, like Ransomware, because other programs can be included with it to have even greater impact. In fact, one of the aspects that makes of this wave of malware particularly unique is that, after infecting a computer, an embedded binary may exhibit the behavior of other types of malwares such as ransomware, crypto lockers, and wipers, and can inflict even greater damage to the target.

Banking trojans are complex software that can extract banking data of users in a variety of ways:

Keyboard logging: useful for recording passwords on sensitive websites,
Screen recording: to obtain a password entered with a virtual keyboard, as bank websites often use,
Website hooking: features which can be activated only when the user is visiting a given website (e-commerce or bank) where banking data are used,
Remote control: the extracted data is sent to a server controlled by the attacker in order to re-use them quickly. This server can also be used to update the list of websites to watch or to exploit other vulnerabilities to gain more privileges on the targeted computer.

The complexity of Banking trojans is also evident the way they can be spread to be the most effective in infecting users. Typically they are distributed as innocuous-seeming email attachments:

Office files with macros: Microsoft Word (.doc and docx) and Excel (.xls and xlsx) are documents commonly shared between colleagues and arouse little suspicion. An attacker can easily then send these disguised files containing macros (scripts executed upon opening the document) in hopes that the user will open the file and activate the scripts.
Binary with false filenames: sometimes filenames can be cropped to remove their extensions (for example, a file named myBill.pdf.exe is shown as myBill.pdf on Windows Explorer) and can be falsely mistaken for a normal file when it is, in fact, a binary that will launch when clicked.

In the case of Emotet, the office macro is used to generate an executable and launches it to execute a PowerShell script with the hidden parameter (to hide the PowerShell window). Once a computer is infected, the malware will try to replicate on computers that are sharing the same network by exploiting common unpatched vulnerabilities.

Prevention: how to fight against this malware ?

There are two main strategies to prevent such attacks, and which can be used in tandem to complement one another.

A traditional solution of an antivirus will have a database of signatures (binaries hash or IP addresses, for example) that will be matched to every launching binary in order to block the ones that will share elements with Emotet. WALLIX BestSafe takes an approach beyond antivirus, as it proactively blocks unexpected user behavior rather than reacting once a process is already underway. For instance, the office application Microsoft Word would not usually be expected to start a PowerShell script, so a generic rule can be implemented to block PowerShell from having Word as parent. Even if an unsuspecting user clicks, downloads, or opens a malicious file, no attack is launched.

More generally, WALLIX BestSafe is an Endpoint Privilege Management (EPM) software which aims to control the processes running on a computer and adapt privileges as necessary to follow the Least Privilege model for users and administrators. It also features a “blacklist/whitelist blocking process” that helps to block malicious processes from ever running, regardless of user privileges.

Thanks to two endpoint management rules, BestSafe is able to stop Emotet’s dangerous exploits:

Prevent the vulnerable process used in this attack (wmiprvse.exe) from launching PowerShell commands: The payload will not be downloaded on the target.
Prevent the “hidden” function of PowerShell: The hidden parameter lets the script execute without having to open a PowerShell window. This behavior is not common in normal executions.

Users don’t have time to waste checking if every file is safe before proceeding with their work. Global rules reduce this overhead by distinguishing acceptable and suspicious, disallowed actions, and streamlining analysis and automatic termination.

Rules are created in the “privilege rules” window:

Parents that are not allowed to execute PowerShell are added in the Rule Properties section under Parent Processes:

BestSafe will then apply these rules in order to block the process and the attack.

Like most subjects in cybersecurity, malware detection is a fight between security and usability. Users need to maintain flexibility and efficiency, unburdened by slow or restrictive security procedures, but IT teams and organizations need to protect corporate data and infrastructure.

With WALLIX BestSafe’s game-changing approach to Endpoint Privilege Management, you achieve the perfect balance of security and productivity. No waiting for antivirus scans, no helpdesk overloaded with support requests. Global rules make automatic detection and prevention of malware – including the infamous Emotet – simple and efficient.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.
trackalyzer	1 year	This cookie is used by Leadlander. The cookie is used to analyse the website visitors and monitor traffic patterns.

Cookie	Duration	Description
__hssc	30 minutes	This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
messagesUtk	1 year 24 days	This cookie is set by hubspot. This cookie is used to recognize the user who have chatted using the messages tool. This cookies is stored if the user leaves before they are added as a contact. If the returning user visits again with this cookie on the browser, the chat history with the user will be loaded.

Cookie	Duration	Description
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
__hssrc	session	This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_gat_UA-12183334-1	1 minute	No description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 9 months 23 days 12 hours 13 minutes	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
wp-wpml_current_language	1 day	No description

Emotet is Back: Stopping Malware with Endpoint Management

What is the Emotet Malware?

Prevention: how to fight against this malware ?

Securing Remote Access with Privileged Access Management

Monsters Are Real, Insider Ghosts Are Too

Related Blogs

Related Resources

Products

Solutions

Resources

About