The Emotet malware trojan is threatening businesses once again, having seen a massive resurgence in recent months. In fact, several popular malware tracking sites list Emotet as the most prolific malware infection for the first quarter of 2019. That being the case, I wanted to spend a bit of time discussing what Emotet is, what it does, and how you can protect your organization.
What Is Emotet?
Emotet (which some sites refer to as the Emotet virus) was originally designed to be a banking trojan. It was engineered to steal sensitive banking information from infected computers.
Emotet has evolved over time. While Emotet still targets banking information, it also downloads additional trojans from the internet. The virus also turns infected machines into spam factories in an effort to propagate itself to other machines.
How Does an Infection Occur?
As is the case with so many other types of malware, Emotet is spread through phishing e-mail messages. You might have noticed a number of messages appearing in your Inbox over the last few months referencing an invoice or a large order. These messages were most likely designed to infect your system with Emotet.
The email message includes an attached Microsoft Word document that uses macros to initiate the infection process. If the document is opened, the user will be instructed to click the Enable Editing button, followed by the Enable Content button. This enables the documents macros, causing the malicious script to run.
It has been reported that some Emotet variants are designed to detect whether malicious code is running inside a virtual machine. If the malware determines that it is running within a virtual machine, it will go dormant rather than attempting to do anything malicious. This behavior is presumably designed to trick IT professionals. Files that are suspected of being malicious are usually tested in a sandboxed environment, such as a virtual machine. The malware’s dormancy in this type of environment might lead some people to conclude that the file is safe.
Protecting Your Network against Emotet
There are several things that you can do to protect your network against Emotet. First, ensure that PowerShell execution policies are set to Restricted on all endpoint devices. As previously noted, Emotet attempts to download additional malware from several different Websites. The download process is initiated through a PowerShell script. Setting PowerShell execution policies to Restricted prevents PowerShell scripts in .PS1 format from running.
It is worth noting, however, that there are ways to bypass PowerShell’s execution policies. So, even though it is important to restrict the use of PowerShell scripts, you cannot assume that doing so will effectively block all malicious PowerShell code.
Another thing that you can do is to ensure that all of your operating system patches are up to date. Last year, WannaCry (a particularly notorious ransomware infection) caused massive damage to computer systems all over the world. One of the reasons WannaCry was so effective was because it exploited a Windows SMB vulnerability that has become known as Eternal Blue. Microsoft has patched the Eternal Blue vulnerability, but some strains of Emotet reportedly attempt to exploit Eternal Blue in hopes that the system the malware has infiltrated has not been patched.
Another thing that you can do to help prevent Emotet infections is to configure your organization’s Group Policy to prevent Office macros from being able to execute. Before doing so, you will need to check if anyone in the organization uses the macro feature. If not, then disabling macros can go a long way toward improving your security.
To prevent macros from running, you will need to install the administrative templates for your version of Office. Once installed, open the Group Policy Editor and go to User Configuration | Administrative Templates | Microsoft Word <your version> | Word Options | Security | Trust Center. Within the Trust Center, there is a group policy setting that you can enable called Block Macros From Running in Office Files From the Internet.
Of course, the most important thing you can do to protect your users from Emotet is to prevent them from opening malicious e-mail attachments. I strongly recommend taking the time to educate users about the dangers of e-mail attachments and the signs that an attachment may be malicious. That alone is not enough, however. I have heard stories of disgruntled employees intentionally opening infected attachments in an effort to get revenge against the company for a perceived grievance. As such, it is a good idea to leverage a mail gateway that filters malicious messages before the user ever sees them.