March 21, 2019 | Posted in Blue Teams and Purple Teams by Kyle Sheely

 

Chances are if you’ve been affected by cybercrime in the past year, you’ve been the victim of a banking trojan. Proofpoint’s latest quarterly threat report notes that over half of all successful email-based attacks were propagated by banking trojans (meanwhile ransomware, once one of the greatest threats to enterprises, came in at a mere .1% of total attacks).

This is no coincidence. Unlike the obtrusiveness of most ransomware attacks, where the attacker makes money by getting the victim to pay for the return of their files, a banking trojan is much more pernicious: infected hosts contribute to identity theft by quietly siphoning off sensitive information and login credentials, all the while using the host’s computing power to mine cryptocurrencies and send out spam emails in the background.

A look at Emotet, one of the most prominent banking trojan from the past 18 months, gives insight into the advanced and destructive nature that these attacks can wreak upon an organization.

 

 

Emotet

 

Emotet, also known as Geodo, has been around for almost five years and started off primarily self-distributed through attempts at brute-forcing user accounts. Attackers would attempt easily-guessable passwords and those found from compromised sites that were sold or published on the darkweb. Instituting password requirements, password rotation, and password lock outs were enough to thwart most initial Emotet iterations. Recently, however, it has gained and maintained relevance by switching to phishing campaigns that use enticing emails and malicious payloads that resist detection and analysis.

An attack usually starts by a victim receiving an email from either a spoofed sender address or a compromised legitimate account. The email and link/attachment are usually themed as something the user would want to click on due to its urgent (invoices, shipping notifications) or contextual (tax season, holiday season) nature. Recent iterations of these malspam emails have a malicious link or macro-enabled Word document which launch when clicked upon, in turn running a PowerShell script that either downloads or runs an already-downloaded malicious payload.

Emotet is largely resistant to signature-based detection because it is polymorphic, meaning it will change its code in slight but meaningful ways every time it is downloaded. Attackers will routinely change the IP addresses and domains that the links and attachments will reach out to, further evading detection solutions. It can also frustrate analysts looking to study the malware because if it senses that it’s in a virtual machine, it won’t download or execute its payload like it would in a normal environment.

emotet_example
1. A spoofed email attempts to convince a user that their tax return transcript was emailed by the IRS, encouraging them to click on a malicious, macro-enabled Word document which would download the Emotet payload.

 

Emotet is also modular in nature, meaning attackers are able to customize the payload and specify their malware campaign to fit their particular goals. While it primarily delivers trojans that scrape credentials and mine Monero (a cryptocurrency that obscures the source, amount, and destination of its transaction), it’s able to release a host of other attacks into an organization’s network, including ransomware. Once a system is compromised, however, most variations will look to establish persistence on the machine its currently on and spread to more machines by using captured credentials and send out more malicious emails via the victim’s email accounts.

An organization affected by a banking trojan like Emotet could have their sensitive or proprietary information stolen or altered and could witness a disruption to their productivity, files, and reputation. In some cases the cost for the remediation of an incident caused by Emotet costs upwards of $1 million (according to https://www.us-cert.gov/ncas/alerts/TA18-201A and https://www.infosecurity-magazine.com/news/allentown-struggles-with-1-million/).

Organizations can take measures to significantly reduce the chance of a successful Emotet phishing campaign. Here are some proactive steps that SRA recommends:

 

Preparation:

  • Purple Teams: Test yourself and inspect what you expect. Conducting a purple team campaign focused on the TTP’s that the Emotet campaigns use you’ll be able to create a defensive playbook to implement.
  • Email Defense: Help users discern a malicious email from a legitimate one by enabling DMARC and rules to mark external emails, which let your users know when an email is masquerading as an internal email. Security Risk Advisors encourages organizations to utilize an email defense platform that monitors and quarantines malicious emails at the gateway before a user ever sees that email.
  • Limit Macro Functionality: If a user clicks on an attachment and opens it, Emotet will attempt to run macros or PowerShell scripts to download payloads and establish persistence. By disabling auto-enabled macros and PowerShell for users that don’t need PowerShell, you limit the ability for an attacker to compromise a user’s endpoint via malicious attachment.
  • LSA Protection and Credential Guard: An attacker is going to want to escalate their privileges by gaining new credentials, oftentimes succeeding by dumping cleartext or hashed credentials stored in memory or a suspended VM. On Windows machines, you can prevent some of these credential attacks by enabling LSA Protection as well as Credential Guard within Windows 10. Both of these protections look to isolate credential processes that attackers love to exploit. While not bulletproof, both help to mitigate common credential dumping techniques.
  • Monitor, Alert and Hunt: Emotet will attempt to maintain persistence by creating other services and scheduled tasks that a user would never notice. Utilize built-in Windows functionality or a third-party application to monitor for scheduled task or service creation.  Conduct threat hunting exercises on the network looking for previously compromised systems.
  •  

    Response 

  • Quarantine and Investigate: Do your best to quarantine infected hosts from the rest of your network. Perform an investigation upon how the payload propagated and determine what variant it is. Depending on the variant, a simple restart after removing the malicious files could be enough to re-image the endpoint; others will require more serious changes, like backup restoration and the removal of current registry keys, startup items, or services. Security Risk Advisors recommends an EDR solution that will quarantine devices immediately upon detection of a malware infection.
  • Determine Blast Radius: Using your initial investigation, identify other hosts with similar activity and perform recovery upon those endpoints as well. Determining the vector of attack and the methods through which the attack propagated could reveal vulnerabilities in your architecture.
  • Reset Credentials: After devices have been successfully segmented and reimaged, make sure to reset accounts passwords for the hosts and applications that have been compromised. Don’t authenticate to infected systems with domain or shared local administrator credentials, as you could allow an attacker to gain further footholds in your network.
  • Implement Additional Monitoring: Continue to closely monitor those endpoints and your network as a whole for indicators of compromise gathered from your investigation and quarantining. Block those suspicious IP and domain addresses, hashes, macros, and filepaths that were found to execute during the attack. Seeing these still in your environment will be an indicator that a new infection has occurred or the old infection persists.
  •  

    Emotet isn’t going away, but that doesn’t mean you have to fear it. By practicing common sense principles regarding email and web use, a phishing campaign can be stopped before a banking trojan reaches your network.