One of the most infamous botnets ever is back.
In this blog post, we outline its current attack methods and the key questions organisations should ask to protect themselves.
New Emotet activity identified
Not long ago, Emotet was one of the world’s most challenging and prolific botnets, having infected hundreds of thousands of devices since 2014. After its initial use as a banking Trojan, it was then used to deliver dangerous payloads. A global operation led to its disruption at the start of this year. However, as stated on this blog at the time, Emotet’s return could not be ruled out.
As of the 15th November, Emotet is now establishing itself again by being dropped by active TrickBot infection. The new Emotet botnet (dubbed Epoch4 & Epoch5) has commenced spamming, including stealing emails for reply-chain attacks.
Emotet’s attack method does not appear to have changed significantly. The minimal changes observed by researchers to date are just small alterations in the command and control (C2) protocol from RC4 to base64 and XOR encoding. The number of commands has changed from four to seven, according to Cryptolaemus.
There were dozens of new infections in the first 24 hours alone. At Redscan, we are currently tracking over 50 active C2 servers. If the botnet can resume large number of spam campaigns and reply-chain attacks it will certainly infect more organisations and individuals. Emotet is an ideal initial access vector for ransomware groups.
Key questions to help respond to Emotet
IT managers and cyber security teams should define their response to the return of Emotet by asking:
- Are detections in place for Emotet-style document attacks?
- Do we have adequate detection technology to detect and respond to an attack where a threat actor moves laterally from an infected endpoint?
- Is there adequate inline spam/email protection in place – and what if an infected email arrived via an infected third party?
- Have our staff been trained to identify Emotet-style spam emails and are they aware that ‘Enable Macros’ on an untrusted document can lead to an infection?
- Do we need to enable macros for Word documents from external sources? Could this be blocked at the group policy level?
This article will be updated when more information comes to light. If you have any questions on how to protect your business, please don’t hesitate to get in touch.