The Bedel Security Blog

The Return of the Emotet Banking Trojan

Written by Brian Petzold | Oct 18, 2019

Since 2014, the Emotet Banking Trojan has been making headlines because of its ability to keep evolving and being used in more sophisticated attacks. At first, Emotet stole banking credentials from victims who would click on a link in a malicious email message, with the messages usually claiming to contain an invoice or other business document.

Later versions added capabilities to transfer money and the ability to replicate its malicious email messages to those in a victim’s contact list. It also developed the ability to search historical email messages and to reply to them with malicious content, making it more likely that potential victims will click on the attachments.

More recent versions added the ability to spread from an infected computer to other computers on a network (this is called a “worm”) using a brute force attack that attempts to use default and weak passwords. Emotet also developed the ability to deliver ransomware and was used in the infamous ransomware attack on Lake City, Florida.

In the past two months, Emotet has reappeared in a big way. Most of the attacks tend to be responses to past emails. The responses usually contain a Word document. When opened, the document presents a message stating that Word has not been activated, with a button provided to fix the problem. If the recipient clicks the link to fix the problem, macros are enabled in Word and a macro attempts to download and install the Emotet malware.

To protect against Emotet and similar trojans, we recommend the following actions for financial institutions:

  1. Make sure system patching is kept current. Emotet often uses known vulnerabilities to gain access to a system after a user opens a document or link.

  2. Implement heuristic tools on endpoints and on the network to detect and block unusual behavior. Because Emotet is good at evading detection, traditional antivirus solutions are often not successful in detecting the malware.

  3. Lock down PowerShell execution as much as possible in your institution. Since PowerShell is often used to execute attacks, this can stop them from being successful.

  4. Train employees and customers to never click on buttons that appear after opening a Microsoft document or spreadsheet, and to never enable macros in documents or spreadsheets unless they know for sure that the macro is safe to run. Microsoft configures their software to block macro execution by default, so attackers will try to convince potential victims that they need to enable macros.

  5. Train employees to not click on links or attachments in emails when there is anything suspicious about them, even if they appear to come from coworkers, vendors, or friends. If they receive an unexpected response to an old email, they should not click on the contents.

  6. Train employees to use only strong passwords and to always change default passwords.

If you have find yourself having a hard time keeping up with threats or even knowing what is and isn't a threat to your institution, we can help! Reach out to us any time at support@bedelsecurity.com.