NetFort Advertising

Detecting Emotet Trojan Malware

Emotet Trojan Malware threat

A bank targeted malware threat called Emotet has been affecting organizations around the world for the past four years. More recently, the Emotet trojan has been used as the carrier of a family of trojans which collect everything from banking to email credentials, browser information e.g. history and saved passwords, to Outlook email addresses (potentially to send phishing emails from that account later) and network credentials.

Emotet’s method of self-propagation—brute forcing passwords—has additional potential to cause major headaches for organizations as it may result in multiple failed login attempts, which can lead to users becoming locked out of their network accounts.

The data collected from infected machines is then sent back to a central server and the threat moves quickly to infect other machines on the network.

The initial infection will typically come from an email which purports to be from a legitimate organization e.g. PayPal, and contains subjects related to invoices or shipping details. Once that first email is opened, the spread of the trojan does not require any user interaction and Emotet uses a number of strategies to remain undetected and so, the threat can be difficult to catch before real damage is done.

Emotet can also spread to additional computers using a spam module that it installs on infected victim machines. This module generates emails that use standard social engineering techniques and typically contain subject lines including words such as “Invoice”. Some subject lines include the name of the person whose email account has been compromised, to make it seem less like a spam email. The emails typically contain a malicious link or attachment which if launched will result in them becoming infected with the Malware.

Detecting Emotet With LANGuardian

You can look for instances of Emotet on your network if you monitor network traffic using a SPAN, mirror port, or TAP. Our own LANGuardian product uses this data source and receives regular IDS ruleset updates from multiple threat intelligence providers. These rulesets include Emotet signatures, which monitor your incoming traffic for known Emotet characteristics.

You can view these signatures by clicking > Settings > Alert List > Add New Marked Signature. Here you will be able to search by signature ID or name, priority or ruleset, as seen below:

Emotet IDS Ruleset

To be notified of a possible Emotet trojan threat, click on ‘mark‘ so you can receive an email or send to a Syslog collector, as seen below:

Alert on Emotet activity

It’s also possible to create a report specifically for Emotet threats, to be displayed on your dashboards.

To do this, run an All Events :: Events by Signature name report > choose your time frame, type ’emotet’ into the Signature name field > apply any other relevant filters and Run Report.

  • To save the report after it has run, click on Actions > Save As and give your new custom report a name e.g. Emotet Threats and Save.
  • To find this new report, go to All Reports and you will find it under My Reports.

You can also generate alerts by clicking on the signature and set it to send SMTP emails and/or SYSLOG events.

Watch out for any new sources of email on your network. Malware like Emotet can use its own email engine to send malware infected emails. Check the sources of email on your network using the report E-mail :: Emails by source.

Aside from this, ensure your machines are patched, that users are aware of social engineering tactics so they do not open unsolicited emails and if the network is infected, not to login to an infected machine with administrator credentials, which can make the threat spread faster!