Emotet – rising star of next-gen cyber attacks
13th December 2018
Emotet has been named as one of the next-generation malware stars of 2018 in the Malwarebytes report, ‘Under the Radar – The Future of Undetected Malware’. Emotet has been terrorising systems worldwide for much of the year, with large campaigns reported in both Q1 and Q3 of 2018. Between January and September 2018, it was detected and removed more than 1.5 million times using Malwarebytes software.
Not new but still improving
First reported in Germany, Austria, and Switzerland in 2014, Emotet built a formidable reputation as it attacked several high-profile banks and financial services organisations. It spread to the United States and the UK in early 2017, where the attacks used email as their primary vector and focussed on targets in local and national government departments.
The US Computer Emergency Team (US-CERT) issued a warning statement on 20th July 2018 concerning the impact of Emotet on state and local government organisations. It confirmed that this software continues to be among the most costly and destructive malware in the USA. Infections have cost government organisations up to $1 million per incident to remediate.
What is Emotet?
Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or ‘dropper’ of a range of malware agents. Its worm-like features result in rapidly spreading network-wide infections, which are very difficult to combat. As a polymorphic Trojan, it is particularly efficient at establishing persistence on a computer by creating auto-start registry keys and injecting itself into running processes. It will also attempt to propagate to local networks using incorporated spreader modules and uses modular Dynamic Link Libraries (DLLs) to continuously update its capabilities.
Infections from phishing email
Fileless attacks are ten times more successful
Emotet is a classic example of a sophisticated fileless malware application. Current malware development methodology is focussed on creating software that is fileless, avoids detection and builds long-term persistence. The longer the malware is present on the system, the more chance it has of extracting the maximum amount of data (hence profit) and of infecting other machines. Fileless malware attacks are estimated to account for 35 per cent of all attacks in 2018, and they are almost ten times more likely to succeed than file-based attacks.
Traditional security solutions are not working
Malwarebytes outline the following shortcomings of conventional security solutions:
Issue 1 – Only looking at files
Older security measures will only search for known malware files and data. Fileless malware consists of transient executables and scripts which aim to use the existing software of the host computer to run processes and control network traffic.
Issue 2 – Only use signatures
Traditional antivirus software uses human-created signatures designed to help the product’s detection engine to identify threats based on the code of previous malware. The new generation of malware constantly changes its digital signature to avoid detection from the most up to date antivirus solution.
Issue 3 – Not checking process memory
Next generation fileless malware uses process memory to hijack legitimate processes for the sake of hiding network traffic or the malware itself. In some cases, malicious code is injected directly into a script run by Microsoft PowerShell. This results in the hijacking of a huge number of system and communication processes.
Next generation defences
The future of fighting cybercrime lies in being able to detect threats because they act like threats, not necessarily because they are recognised by their digital signatures. Dynamic behavioural detection uses AI and machine learning to identify and learn about suspicious processes and user interaction.
Blocking at delivery
Cyber security protection should be delivered on each endpoint computer device in an IT system. An essential aspect of fighting modern threats is identifying the danger before the threats can get established. Given the increasing use of fraudulent email, it is crucial to prevent email infection using anti-phishing technology and user awareness training.
An increasing number of cyber attacks attempt to disable or remove the existing security tools employed on the host IT system. Security solutions of the future need to have sophisticated and adaptive self-defence modes.
Wizard Cyber delivers CYBERSHIELD MDR-ENDPOINT as a managed service that combines Next Generation Antivirus, Endpoint Detection & Response, and the latest global cyber threat intelligence information needed to detect and remediate all fileless cyber attacks. We also offer a comprehensive technical and staff training solution designed to protect your organisation from email phishing.