Morphisec Cybersecurity Blog

The Notorious Emotet Is Back: What Organizations Need to Know

Written by Michael Gorelik | November 18, 2021 at 7:41 PM

Almost a year after an international law enforcement effort supposedly defeated it, Emotet, aka "the world's most dangerous botnet," has returned. Earlier this week, German security researcher Luca Ebach reported seeing malware with Emotet-like characteristics deployed on Windows machines. After a manual investigation, Ebach discovered that his test devices, which had already been infected with TrickBot trojans, were indeed trying to download an Emotet-like DLL. Describing the malware's resemblance to Emotet, Ebach observed that it "smells like Emotet, looks like Emotet, behaves like Emotet – seems to be Emotet."

Since then, Ebach's observations have been confirmed by other cybersecurity experts such as Whitehat hacking group Cryptolaemus who have also noted that the recently observed version of Emotet also appears to have evolved new methods of obfuscation. Researchers at the Bern University of Applied Sciences now report that the number of Emotet command and control nodes has doubled since the start of the week. Clearly, Emotet is coming back strong, and it is invisible to Antivirus (AV) solutions that do not leverage breach prevention solutions, such as Morphisec, that use Moving Target Defense to stop advanced attacks like Emotet that AV and EDR cannot stop.

Network Access for Rent

First discovered in 2014 by TrendMicro, Emotet quickly grew from a banking trojan into the leading botnet used by cybercriminals worldwide to send spam emails and install payloads. Polymorphic and capable of deploying filelessly, Emotet soon became notorious for its ability to avoid security controls and spread laterally across victim networks. Because it does not have a recognizable signature and effectively reconstructs itself each time it deploys from device memory, Emotet's invisibility to antivirus solutions left countless enterprises vulnerable. 

Once it infects an endpoint, Emotet will aggressively try to access any connected networks by brute-forcing passwords. With millions of corporate devices poorly protected by simplistic passwords, this capability assures lateral movement within many enterprises. Emotet's goal is to not only steal data but also to create persistent access routes into victims’ networks. The cybercrime gang behind Emotet, thought to be based in Eastern Europe, has profited immensely from leveraging this method of action, renting ill-gotten access to victims' networks to threat actors armed with further threats like ransomware.

Invisible to Antivirus Solutions

Traditionally, Emotet has been deployed through malicious Word documents that come attached to spam emails. Phishing victims opening attachments like invoices or purchase orders would be prompted to enable macros and thus install Emotet malware unwittingly. Although the return of Emotet appears to have started with devices already infected with the TrickBot trojan, direct email distribution of today's resuscitated Emotet has already been noted by Cryptolaemus. 

Capable of silently infecting large numbers of connected devices from only a few initial points of access and bypassing even the most advanced antivirus solutions, Emotet is an immense cybersecurity threat. It can also recognize virtual machine environments and avoid sandboxes. These kinds of capabilities have previously led the Department of Homeland Security to describe Emotet as "among the most costly and destructive malware." The organization estimates that an Emotet attack can cost up to $1 million per incident to remediate even without accounting for the costs that subsequent follow-on attacks like ransomware can have. Terrifyingly, in December last year, Emotet was thought to be targeting around 100,000 users per day —  impacting 7% of organizations worldwide.

Proactive Defense Is Critical

Defending against the resurgent threat Emotet poses starts with cybersecurity training for staff. Because Emotet has been, and is most likely to be, delivered through malicious emails, every individual should know to never enable a macro within an attachment unless they are sure it is safe. By default, all devices should also have third-party macros disabled. To mitigate lateral movement, password hygiene within networks is vital, and insisting on 2FA for network access is strongly recommended. 

Alongside these proactive cybersecurity measures, having an effective preventative tool in place is vital. Although antivirus solutions can neither detect nor stop at time zero, Emotet or any other kind of fileless malware, solutions that use Automated Moving Target Defense (AMTD) can. Because MTD morphs memory, threats like Emotet cannot find their targets and end up isolated and trapped.

Critically, this process happens at the endpoint and doesn't rely on telemetry, meaning that endpoints secured with Automated Moving Target Defense can reliably defeat fileless malware before it breaches the network perimeter. The "defeat" of Emotet by Europol, reportedly through exploiting a bug in the malware's code, was heralded as a major cybersecurity win back in January of this year. Unfortunately, as Emotet's resurgence shows, powerful malware is unlikely to be eradicated by law enforcement actions alone.

The reality is that defending against malware like Emotet is up to organizations themselves. As a market leader in preemptive cyber defense against fileless attacks, Morphisec is ready to help organizations meet this challenge.