"Emotet" malware - BSI warns of new phishing wave

The Federal Office for Information Security (BSI) issued a warning against the Emotet malware in a press release on 5 December 2018.

The malware was first observed in Germany and Austria in 2014.

While the malware was originally used as a Trojan to spy on access data for online banking, the malware has been heavily modified and improved in recent years.

BSI President Arne Schönbohm said: "In our assessment, Emotet is a case of cybercrime in which the methods of highly professional APT attacks have been adapted and automated. We already spoke of a new quality of threat in the BSI's current situation report and see this confirmed by Emotet. We therefore call on companies and organisations to protect their IT infrastructure and especially their critical business processes from this type of threat and to expand their IT security measures appropriately. Appropriate prevention can significantly reduce the risk of infection with Emotet."

Since September 2018, a new variant has been on the loose that is extremely sophisticated. It starts with a very classic phising attack. Nevertheless, a very high quality can be observed here. Once a device has been infected, Emotet uses several methods to spread. For example, Emotet reads stored emails and addresses from Outlook. This is aptly called Outlook harvesting, where Emotet also makes sure to pick out contacts that have been communicated with recently. Weeks can pass between the original infection and the sending of the emails during which Emotet observes and analyses the communication. Based on this, targeted phising emails are then automatically generated and sent. This special method is called spear phising. Instead of casting a symbolic net as in traditional phising, people are targeted. These special phising e-mails are of a very high quality and can hardly be distinguished from real e-mails.

In the e-mail, the user is asked to open a Word file in the attachment. In doing so, you are also supposed to execute the macros contained in the document. Anyone who follows this request infects the computer in this way.

However, this is not the only method available to Emotet. If a computer in a network is infected, Emotet uses it as a bridgehead. Once this is set up, Emotet loads malware components and also uses known vulnerabilities such as EternalBlue, Romance or Mimikatz to spread independently in the network. Even though Microsoft already provided a patch in May 2017, while WannaCry was raging, apparently not all companies have applied it yet. This can also cause entire networks to fail, such as in the Fürstenfeldbrück district hospital in Bavaria, which was infected at the beginning of November. The infection caused the entire IT infrastructure to fail and normal work was no longer possible in the hospital. Patients had to be transferred to surrounding hospitals and new patients could only be admitted in emergencies. In addition, all bank accounts at the hospital were blocked to prevent possible misuse.

Since the malware is constantly changing, it is difficult to detect it with classic security solutions. One way to prevent an infection is to sensitise the staff. But active prevention is also possible. For example, by automatically and proactively removing active elements from files. This is possible, for example, with Fortinet Content Disarm and Reconstruct. This would clean the document with the malware from active elements such as macros before delivery. This would make the document disarmed and harmless. So even if an employee were to receive this email and open the attachment, infection would no longer be possible.

Another possibility is so-called sandboxing. Here, the document is uploaded, executed, observed and analysed in an isolated environment. If no suspicious behaviour has been observed after a certain period of time, for example 15 minutes, the file is released. Both Fortinet and Sophos offer corresponding solutions.