Emotet: How to Detect & Eradicate

30th October 2020


Emotet is one of the most expensive and troublesome strains of malware, costing organizations over a million dollars per incident to remediate(source). The malware has been wreaking havoc in both the private and public sectors for over five years but had more recently begun to fade away as ransomware stole the security community spotlight. However, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) have observed Emotet roaring back to life, triggering 16,000 alerts in CISA’s EINSTEIN IDS in July of 2020(source).

Emotet is sophisticated and dynamic. It enters networks through phishing emails and subsequently proliferates by moving through shared drives and brute-forcing user credentials(source). It uses a variety of tactics, techniques, and procedures (TTP’s), including WMI, file obfuscation, network sniffing, remote service exploitation, and data exfiltration among others. CISA and MS-ISAC published the following image in their Emotet notification Alert (AA20-280A) displaying the tools and techniques employed by Emotet using the MITRE ATT&CK framework:

CISA and MS-ISAC also published a list of industry best practices recommended to specifically help organizations thwart the Emotet threat. Many of these recommendations are industry best practices that can help network defenders protect their teams from a myriad of different malware strains. Unfortunately, many of the mitigations require different tools which can be cumbersome and costly for smaller businesses to manage. CyGlass can help.

CyGlass is a network defense platform which leverages cutting edge AI/ML algorithms to cut through the network noise and highlight key issues your network defense team should address. CyGlass is a tool designed to detect anomalies on your network so your teams can take immediate action when it comes to network threats and availability challenges. Most, if not all, organizations now have antivirus software that can detect known threats based on a signature. Attackers are savvy. They know antivirus is deployed ubiquitously and can make small tweaks within their programs to evade even the best antivirus software to access your critical and financial assets. CyGlass picks up where antivirus leaves off by detecting behaviors that do not trigger signature-based alerts. It also simplifies your network defense ecosystem by presenting key insights with a best in class user interface.
Taking a vast network and dividing it into smaller subnets or VLANs provides network segmentation which makes it more difficult for malware like Emotet to spread. CyGlass monitors each subnet in your environment for unusual behavior alerts you to it and also discovers new assets and subnets.

Adding and labeling assets and subnets to your environment helps you keep an accurate asset inventory and network map which are critical for supporting the industry’s best practices required to protect your environment. Asset inventories help determine whether all devices are adequately patched and strategic network segmentation stymies malware proliferation while providing faster network performance and lowering network maintenance costs.

Another example of how CyGlass can prevent worm-like trojans such as Emotet from spreading in your environment is by informing your team of abnormal lateral communication which is often an indicator of compromise. In the example below, CyGlass detected abnormal scanning within the network from the printer.

Depending on the design of this network, the printer may be trying to re-establish legitimate connections or it could be acting as a pivot for an attacker to gain more credentials and escalate privileges. With a couple of clicks, CyGlass can show you everything you want to know about the behavior including relevant ports and protocols involved, key assets, a behavior map, and how the present behavior deviates from your observed baseline. The behavior map for this alert shows bi-directional communications between the printer and several devices and IP’s.

The network traffic during the time of this behavior is also higher than usual. CyGlass uses Netflow data to present network information. The chart below shows the spike in printer traffic activity using one of the dozens of combinations available in CyGlass network traffic filters.

One of the key assets involved in this traffic is Active Directory Server 1. Active Directory Servers and domain controllers are some of the highest value assets within an organization for an attacker to control because they provide authentication information for the entire Windows enterprise network. An analyst using CyGlass may want to examine this Active Directory server to see if any abnormal behavior is occurring and take steps to harden the device. This particular server has a threat score of 43 which indicates there is room for improvement in terms of hardening the device.

After viewing this information, your analyst will likely take a closer look at traffic coming from the printer, initiating your incident response process if required, or making a setting adjustment to diminish the chatter and restore any suspended printing activities. He or she can also start examining the threat scores of critical devices present in the alert to improve the organization’s security posture and prevent future compromise.

CISA also describes how Emotet exfiltrates information over a command and control (C2) channel. This can be done in a variety of ways including HTTP and DNS tunneling. CyGlass alerts to both of these behaviors so your network security team can immediately validate whether this behavior is approved and take subsequent action.

The tunneling alert described here can be further evaluated within the CyGlass platform which offers a convenient GUI and filter options for fast and easy NetFlow parsing. The tunneling behavior described above is also depicted in the behavior map as shown below.

Behavior and network maps are critical for triaging and diagnosis of network events and documenting incidents in organizations with a strong security posture and mature incident handling process.

Emotet is a sophisticated malware that is challenging to detect and costly to eradicate. It leverages several tools and techniques within the MITRE ATT&CK framework, each presenting network defenders an opportunity to detect the behavior, respond accordingly, and recover rapidly. CyGlass makes the entire incident response process simple and user friendly so your team knows how to harden your network using asset classification and network segmentation and respond to threat behavior detected in your environment. To learn more about what CyGlass can do to protect your network from malware like Emotet, please contact us for a demo.