The best way to defend your organization from Emotet is with a security solution like SentinelOne that uses ActiveEDR. Unlike the passive EDR solutions that increase the workload on your SOC team, ActiveEDR is a means of detecting and remediating threats completely autonomously on the endpoint itself. The SentinelOne agent doesn't rely on knowing any specific information about URLs or strings in a binary. That way of defending against malware is no longer viable. Where you can't identify malicious files, you need to identify malicious behavior.
A notorious malware family that has been on a resurgent path since last year has received a major update this week that will send shivers down any organization's back. According to a report from Kryptos Logic shared earlier today with ZDNet, the Emotet malware family has started mass-harvesting full email messages from infected victims, starting yesterday. The Emotet group has been around since 2014 when they first started spreading a first version of their malware that worked as a full-on banking trojan. This banking trojan was never a massive threat and slowly died out over the next three years, all until the summer of 2017, when the Emotet gang revamped their code and turned the original Emotet banking trojan into a modular malware family that was primarily used to infect users and then deliver secondary payloads for other criminal groups --in a classic pay-per-install scheme. Ever since last summer, Emotet has been growing, and growing, and growing --both in capabilities and in the number of victims it has infected.
Cyber criminals are always looking for brand new ways of making money and causing destruction -- or, even better, both at once. The last 12 months have seen a boom in malicious cryptocurrency mining whereby cyber attackers secretly hijack the processing power of computers, servers and even IoT devices and use it to mine for cryptocurrency. While it might not be rapidly lucrative for the crooks involved, it's stealthy and can be sustained over a long period of time -- and most users don't even know their machine's processor is being used to line someone else's pockets. Ransomware takes the opposite approach: pay up, or risk having your files permanently locked, with the WannaCry and NotPetya ransomware attacks causing destruction around the world. But while cryptojacking and ransomware continue to be widespread threats, other attackers have continued to quietly deploy a potentially much more damaging threat: trojan malware.
The Emotet malware gang is probably managing their server infrastructure better than most companies are running their internal or external IT systems. A report published last week by Trend Micro reveals that the Emotet crew has intentionally designed its server backbone infrastructure into two separate clusters. Researchers ended up at this conclusion after they analyzed 571 Emotet malware samples from where they extracted the IP addresses of 721 Emotet command-and-control (C&C) servers, but also six RSA encryption keys that the malware had used to encrypt the communications between infected computers and its C&C servers. When researchers visualized the relationship between each RSA key and its set of C&C servers, the results were pretty surprising, as the Emotet infrastructure was depicted as two separate clusters that didn't communicate with each other. This was out of the ordinary, as most malware infrastructures tend to be one giant blob of interconnected servers.
Trojan malware attacks against business targets have rocketed in the last year, as cyber criminals alter their tactics away from short-term gain and in-your-face ransomware attacks towards more subtle, long-term campaigns with the aim of stealing information including banking information, personal data and even intellectual property. Figures from security company Malwarebytes Labs in a new report suggest that trojan and backdoor attacks have risen to become the most detected against businesses – and the number of trojan attacks has more than doubled in the last year, increasing by 132 percent between 2017 and 2018, with backdoors up by 173 percent. Malwarebytes classifies trojans and backdoors separately, describing a trojan as a program "that claim to perform one function but actually do another", Meanwhile, a backdoor is defined as "a type of trojan that allows a threat actor access to a system by bypassing its security" and gaining access to systems undetected. Attacks using spyware -- malware that gathers information on a device and sends it to a third-party actor -- have also jumped hugely, up by 142 percent in the same period. "When you say spyware, people think of how it's been around for a decade or more and it's old and boring -- but it's really effective and it's really come back into fashion with the rise in attacks on businesses and a thirst for data exfiltration," Chris Boyd, lead malware intelligence analyst at Malwarebytes told ZDNet.