Notorious Malware Threat Emotet Returns with Windows Update Trickery


Calvin Gan


“Emotet has emerged to be one of the more successful groups offering malware-as-a-service. We have seen Emotet forming different threat partnerships with different cyber-crime groups”, says Calvin GanManager of Tactical Defence Unit, F-Secure, in an exclusive interview with ITSecurityWire.


ITSW Bureau:  What are the major risks associated with the re-emergence of the Emotet malware?

Calvin Gan: One of the risks associated with Emotet is not so much that it’s in the computer, but what happens after it executes inside the network and gains a foothold. Once inside, Emotet has the ability to remain unnoticed while it silently performs reconnaissance actions such as mapping of the organization network or elevating account privileges before finally deploying additional payloads.

The Emotet threat actors are able to adapt quickly to breaking news by adjusting their spam email content and subject. They also continuously update their social engineering tricks for optimal success.

Sample Emotet spam subject headers have referenced Covid-19 or Donald Trump’s health condition. At the same time, their malicious documents have been updated with more templates, such as pretending to be a document created from a mobile device, hence driving users to enable macro in order to view it correctly.

The latest example also spotted Emotet documents presenting users with a fake out-dated Microsoft Word message, tricking users into clicking the “Enable Content” button.

Read More: How APIs can help hackers launch cybercrime campaigns

With a threat group that is able to adapt so quickly, this poses a risk to organizations, especially when they are playing catch up in understanding threats or even educating their users about them.

ITSW Bureau: How are botnet attackers successfully accessing corporate networks? Is this through utilizing thread hijacking or any other means?

Calvin Gan: Emotet has been effectively infiltrating companies through spam email campaigns containing malicious documents or links to malicious downloads as an effective lure.

The email lure has been known to use subjects designed to spur users into taking urgent action. Recent Emotet developments also include the capacity to hijack an email thread and send a response to increasing its chances of successful infection.

Emotet has also added the ability to steal email attachments to add to its credibility when spamming. These changes in tactics have made it harder for end-users to verify the legitimacy of emails received.

Upon successfully luring a victim to run its malicious attachment, Emotet is known to drop payloads that are capable of laterally moving across systems as well as stealing credentials.

ITSW Bureau: Why is the Emotet malware even more significant now than before?

Calvin Gan: Emotet has emerged to be one of the more successful groups offering malware-as-a-service. We have seen Emotet forming different threat partnerships with different cyber-crime groups, hence the variety of secondary payloads being dropped, which ranges from banking Trojans, Infostealers (information-stealing Trojan) and the more disruptive ransomware.

It is worth noting that the damage caused by Emotet may not be immediately apparent. The secondary payload may stay for days or weeks before finally executing, all the while gathering information about its environment. This underlines the importance of organizations having the capacity to detect and block Emotet execution at an early stage to prevent further disruption.

Read More: A Peek into the Cybercrime industry

ITSW Bureau: How can organizations best prepare themselves to combat the evolving risks of malware attacks?

Calvin Gan: We can look at this from two perspectives; the user and the technical aspect. The goal is to prepare but, at the same time, try to disrupt the attack as early as possible.

Let’s start with the user aspect. One of the most important steps is to educate users about the ever-changing threat landscape. Keeping them updated about the tactic change in Emotet or any other prominent threats would help users be more aware and ultimately prevent threats from being executed unintentionally.

It is also important for users to continuously practice what they have learned. For example, hold regular exercise drills on how to spot malicious versus legitimate emails or recap best practices for opening email attachments.

There should also be formal response plans describing what to do when an organization is breached. These plans should be rehearsed and, at the same time, communicated clearly to all employees so that everyone is aware of the next course of action. If there are lessons from the breach, they should be recorded and shared to prevent future attacks.

On the technical aspect, organizations should look into reviewing current policies and rules, from passwords to firewall user management and email policies. These policies form part of a living document that is updated daily in line with the constantly changing threat landscape.

Read More: Kubernetes Data Management Platforms Combating the Rising Data Storage, Security, and Recovery Risks

Organizations should also look into implementing email filters that block suspicious attachments, especially those with extensions commonly used by malware. When it comes to document files, it is worthwhile blocking macros and preventing the execution of PowerShell.

Finally, it goes without saying that software has to be kept updated to minimize attack vectors into the organization.

Calvin Gan has been with Finnish cybersecurity specialist F-Secure for more than 10 years. Since 2017 he has been Manager of the Tactical Defense Unit, responsible for leading a team of technical analysts and researchers focusing on cybersecurity domains, with the strength of ensuring end-to-end task execution.