Emotet: this year’s most powerful malware

The Emotet virus is a computer worm. First reported in the USA in 2014, it has evolved, been modified and has been present in attacks all over the world since then.

In these early versions, it was specifically dedicated to attacking banking services. Its aim was to infiltrate financial systems in order to retrieve personal and sensitive data from bank accounts. In the course of its development, it has made it possible to install other malware and attack other business sectors.

TheANSSI (Agence Nationale de Sécurité des Systèmes d’Information ) claims that since the beginning of the summer, it has been specifically targeting companies and administrations. A number of attacks have been detected in France in recent months, with sometimes significant impacts on the health of affected IT systems.

Intelligent, polymorphic malware

Polymorphic and modular in nature, Emotet is a virus that is particularly difficult to detect and thwart. In its currently exploited version, it essentially acts as a Trojan horse: its aim is to infiltrate a workstation, after which it contaminates the network using known software vulnerabilities. Finally, once established, it downloads and installs other viruses and malware, via hacked and corrupted servers. It can, in some cases, update itself on these servers to change its form, signature and behavior.

It is deployed on a massive scale via waves of phishing and spam e-mails. It also exploits conversations in the infected workstation’s mailbox to generate a false reply, incorporating the virus, to an existing discussion. These messages contain dangerous links, either directly or via attachments, which trigger the installation of the virus. All types of file attachments can be integrated into these links: Office documents, PDFs, archive files, etc.

Protection methods

There are several steps to protect yourself from the virus:

As we have seen, it exploits software flaws, particularly in the operating system, to spread over the local network, so it’s vital to ensure that all systems in the park are kept up to date.

In the same vein, antivirus software has rapidly integrated the specific signatures of malware and is able to detect it, but a simple disinfection does not necessarily completely clean the virus. It’s essential to keep your PC protected by using a regularly updated antivirus program.

We’ve also reported that this Trojan uses corrupted servers to download new threats and update itself. That’s why it’s important to use a proxy server capable of controlling and, if necessary, blocking Internet access to company workstations.

Finally, and probably most importantly, the malware is deployed via e-mail, via spam or phishing. That’s why it’s vital to have high-performance anti-spam protection to block these threats to your information system.

An often overlooked but crucial point is user awareness and training. Knowing how to identify the sender of an e-mail, recognizing the target of a link and knowing to whom to send your doubts can help prevent a systemic infection.

Measures taken by Altospam

As soon as the attack was reported, Altospam integrated the countermeasures recommended by all cybersecurity players:

– We have integrated into our analysis engines recommendations provided by Cryptolaemus, a community project listing infected servers.

– As far as antivirus software is concerned, we have put in place rules, provided by the cybersecurity research community, dedicated to the search for significant elements indicating the presence of the virus, in attached files.

– By analyzing the messages received, we created rules specific to the messages taking part in the attack.

– We have also stepped up our analysis of Office, PDF and Zip file attachments, which are the main vector for these attacks. To this end, the sandbox system for analyzing attached files has been improved.

– A dedicated real-time blacklist (RBL ), set up by a group of local authority CISOs, has been integrated. It identifies and blocks the hacked servers used to send spam carrying the virus.

– Given the impossibility of analyzing their content, messages containing password-encrypted archive attachments (ZIP, RAR, 7z, etc.) are currently blocked. This is a temporary measure, but for the time being it is essential to ensure the security of the systems we protect.