In this article:
- Emotet’s primary functions
- Evasive tactics used by Emotet
- Previous iterations of Emotet
- Emotet Ecosystem – Sophos Infographic
- How the Emotet variant executes
- Mitigation strategies for healthcare IT administrators
Emotet Malware Variant Uses New Evasive Tactics in 2021
The Emotet trojan malware variant has now resurfaced after a two month period of relative quiet. Armed with new evasive methods, the hackers are sending over 100,000 emails per day, with healthcare being a primary target.
Recent reports issued by Malwarebytes and Cofense suggest that these attacks are an evolved version of previous attacks in the healthcare sector – when Emotet was paired with Ryuk and Trickbot Trojan – so re-assessment of network security is critical.
“Emotet has a few primary functions. It acts as an information stealer, harvesting credentials, contact lists and email content from an infected machine,” Cofense explained. “It adds the contacts to its target list and builds and sends authentic-looking emails using the stolen email content. Finally, it can deliver other malware as a secondary payload, often leading to separate attacks such as ransomware,”
Emotet is one of the most prolific malicious email senders, and the last known campaign detected in the wild was just before Christmas, where the cyber criminals alternated their strategy between social engineering and phishing lures. This information comes from Malwarebytes, who identified that Emotet not only added an error message DLL as part of the payload, but also leveraged COVID-19 related lures, targeting vaccine rollout information.
New Evasive Tactics
The new tactics include a document attached to emails which claims to be a protected document, and requires macros be enabled so that the user can view it. The document then uses a malicious macro to install the virus.
A previous iteration of Emotet did not alert users: Once the macro was installed, there was no visible response from the operating system or application, which enables the virus to install undetected.
The latest version of Emotet now displays an alert dialog box to the user, informing them that there was an error in Microsoft Word, and the file could not be opened.
“This gives the user an explanation why they don’t see the expected content, and makes it more likely that they will ignore the entire incident while Emotet runs in the background,” Cofense explained.
“Emotet’s active periods have been unpredictable, and its authors have made an effort to adapt both the email campaigns and the malware to spread more effectively,” Condense concluded.
The hackers have also updated how the malware variant executes. Emotet was previously an executable file, but the latest version presents as a DLL file, initialized using the rundll32.exe program built into Microsoft Windows.
The command-and-control communication has also been updated to make use of binary code instead of plain text. These updates to the variant make it a difficult task for system admins and administrators to detect the successful installation and subsequent compromise.
Mitigation Strategies – What Admins Can Do Right Now
Healthcare System Administrators should ensure email attachments commonly used in malware attacks, such as .exe and .dll, as well as those that can’t be scanned by antivirus software are blocked as a group policy.
Group policy object and firewall rules should also be in place, along with a formalized patch management process, antivirus program, with filters implemented at the email gateway. At a minimum, suspicious IP addresses should be blocked at the firewall level and with DNS filtering/blocking.
Perimeter and internal security can be ratified and validated by using a deception & decoy system, so that any breaches are monitored in real time, and hackers that are looking for penetration points are tracked.
Other mitigation tactics include ensuring sensitive data is encrypted at all times and enforcing access controls across the entire organization to prevent lateral movement. Endpoints should employ strong password policies or active directory authentication with oversight by system admins.
Safeguarding Facilities, Patient Care & Medical Devices
CybX is a full service technology provider that protects all healthcare organizations and providers with a powerful set of custom configured solutions, delivering Quantum Safe encryption designed to Protect Data First. CybX delivers resilient solutions that prevent network threats from accessing data or infrastructure, and secures mobile devices through disruptive apps.
CybX Security ensures a safe, secure computer-based operating environment, adhering to strictest standards and compliance.