In April, the Center for Internet Security announced that Emotet arrived in the U.S. This malware represents a serious threat. It has largely targeted financial organizations in Europe, but other industries also have been infected.
With Emotet’s recent arrival in the U.S., IT professionals should be aware of what this malware is, how it works and how they can protect their systems from it.
What Is Emotet?
Emotet malware generally arrives via email, often as part of a spam campaign. A user will click a malicious link, and the malware will download itself to that machine. It attempts to steal information such as victims’ bank account numbers, wire transfer information, usernames and passwords. Its goal is to conduct fraudulent transactions to steal money from its victims’ financial accounts or intercept and redirect valid transactions.
The malicious code puts itself persistently on a machine, attempting to steal login credentials by looking in the computer’s registry. It also has been known to add plug-ins to browsers and to use keyloggers, so it can not only see stored usernames and passwords but also copy information as a user enters it in websites or forms.
The malware may try to propagate itself through the network, looking for open shares and attempting to log in to them and spread itself laterally to other machines.
Recent versions of the malware appear to have evolved to evade detection. Most common antivirus tools are based on signatures or file hashes. Because Emotet changes to look different to antivirus tools, it’s harder to identify.
At CDW, we’ve seen the malware arrive at some organizations. Before IT teams realize they have an infection, they often notice an increased number of account lockouts. Users can’t log in because the malware on their machines is trying to spread itself throughout the network by logging into different network nodes. It does this by trying passwords from a dictionary of common, weak passwords and by reusing passwords that it learns from other systems.
For organizations with password policies that lock accounts after a set number of failed login attempts, this increase in lockouts is often the first notification IT staff have about the infection.
Protect Yourself from Emotet
IT teams can take some simple steps to make it less likely that they’ll suffer an Emotet infection or improve their ability to recover quickly.
1. Be Cautious About Clicking on Email Links
Organizations should train users to engage in good IT security practices and encourage them to report any suspicious emails or activities they might see. Rather than shame or get mad at users if they make a mistake, like clicking on a malicious link, encourage them to report what they did. Users naturally want to hide a mistake and hope no one notices. But if they help to identify an incident right away, IT staff may be able to contain an outbreak on the network.
2. Enable Filtering on Traffic That’s Leaving the Network
As Emotet attempts to call home, it tries to establish a connection outside the perimeter. If you have filters in place to look for that type of malicious activity, they can help identify and prevent malicious communication.