HOW TO BLOCK AND REMOVE EMOTET
Emotet is by far one of the most prolific malware / trojans of the past 6 years. Starting off in 2014 as a banking trojan targeting Germany, Austia and Switzerland specifically, it has grown massively. It is now a complex, modular malware, dropper and botnet which is expected to keep growing in the near future.
Due to this, lets talk about how you can block Emotet, detect it or in the worst case remove infections.
HOW TO BLOCK / PREVENT / DETECT EMOTET
The main infection vector of Emotet is still email phishing. Because of this, we want to look at inbound emails towards the network and attempt to block them. Ensure you have an anti-malware scanning inbound emails, such as O365 ATP or Mimecast. We cannot rely on this however, as many times Emotet will evade scanning due to its polymorphic nature.
Also consider blocking any file types that cannot be scanned by your email software.
Best practices, such as DMARC, SPF and DKIM. Note however that in many cases Emotet is sent from legitimate senders who have been compromised so that will bypass this.
It is also worth ensuring that antivirus is being used across your network. This may seem like an obvious thing, but it is another important step in detecting and blocking Emotet. AV will not always catch Emotet itself, however the more layers of defense we have, the more likely we are to spot, or block, Emotet. There are lots of great free Antivirus out there. If you aren’t sure which one to use, https://blueteamblog.com/contact-me.
It is important to keep up to date with patching all software and hardware on your network. Many breaches, hacks and security issues on networks are caused due to out of date, vulnerable devices. This is very important in the context of Emotet and other malware it drops. Many threat actors use the “Eternal Blue” exploit to move laterally and enumerate resources. Check here https://support.microsoft.com/en-gb/help/4023262/how-to-verify-that-ms17-010-is-installed to verify you are patched against this common exploit.
USER TRAINING / awarness
In the case a phishing email gets past email scanning, it is essential users are trained to spot phishing emails. This is essential as it still takes the user opening a document or clicking a link to allow Emotet to infect a asset. Users should be able to spot when the sender, content or URLs within an email appear abnormal. You should also have a way for users to report malicious emails and advise them how to remove them safely.
To make this even easier for users, mark external emails clearly as EXTERNAL and get users to check them thoroughly.
DISABLE ADMIN SHARES
Emotet commonly spreads within a network using administrative shares. To stop Emotet spreading once on a network, apply this .reg to all servers and clients and reboot them.
One common tactic Emotet and other malicious software use is getting users to click on macros within office files.
To stop this, we can use group policy. Go to Admin Templates, Microsoft Word, Word Options, Security Trust Center and then block macros. This will stop macros running on machines this GPO is applied to.
BLOCK SMB PORTS
Next up, it is important to look at limiting inbound SMB connections on your environment. Emotet and other malspam use SMB once on a network to spread infections throughout them.
Use Group Policy Objects or any other host intrusion system you have set up to do this. You want to at a minimum, restrict SMB connections to only allow connections originating from the client. If you can however, look at blocking any inbound communications via SMB and only allow what is needed.
BLOCK NETBIOS ports
Netbios is also still used regularly by threat actors and is worth blocking whilst we are doing this. Follow the above steps, but this time block ports 137, 138 and 139. If any legacy or custom software and applications are still using these ports, then exceptions can be set up to allow this.
BLOCK / DETECT EMOTET IOCs
It is worth blocking Emotet IOCs (Indicators of compromise) and detecting if there is any attempts to connect or use them. This can include, IPs, URLs and hashes. You can get these from the following sites :
- IPs of Emotet 1, 2 and 3 Epoch’s – https://paste.cryptolaemus.com/
- IPs of Dridex, Emotet and Trickbot C2’s – https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
- Hashes of Dridex and Emotet – https://feodotracker.abuse.ch/downloads/malware_hashes.csv
- Emotet URLs – https://urlhaus.abuse.ch/browse/tag/emotet/
HOW TO REMEDIATE / REMOVE EMOTET
If you do end up with an Emotet infection on your network, it is important that you handle the incident response correctly.
- Isolate any devices you believe may be infected straight away. The longer the device stays on a network, the more likely it is to infect others.
- If you have any indication that the infection is moving throughout a VLAN or the wider network, shut down the network as much as possible to prevent further spread. The reason for this is Emotet commonly drops other malware such as Trickbot and Ryuk to name a few. These can cause much further damage and we want to limit this.
- Any users who have recently accessed the devices should have their passwords changed. Any shared accounts on these assets should also have the same performed.
- You can now check if the devices are infected using https://github.com/JPCERTCC/EmoCheck/releases. This program from the Japanese Cert detects Emotet infections. It is also worth scanning possibly infected devices at this time with any other AV software you have available to you.
- You now need to correctly clean any infected devices. Many companies have their own process for this, but if not follow this.
CLEANING THE EMOTET INFECTION
- Download your Antivirus onto a USB using a clean computer, ensuring it has up to date definitions. Whilst doing this, also download Emocheck as above and malwarebytes https://www.malwarebytes.com/mwb-download/
- Go to your infected machine/s and start them in safe mode without networking. Disable system tray and all services upon startup.
- Insert the USB and install the anti virus program. Copy the up to date definitions from your USB into the files you have just installed (This differs depending on AV)
- Run a scan with all options selected to clear the infection.
- Once this is done, install and run EmoCheck and malwarebytes. This should check that the AV has removed the infection properly and may detect any other issues.
- Some companies at this point may reimage the devices. I would personally recommend this, however this is up to you and will depend on the device.
- The devices can now be added back to the network. I would recommend adding any affected devices to a seperate VLAN for a month to monitor if they exhibit any malicious or anomalous behavior.
FORENSICS AND MONITORING
6. Whilst this is being done, if possible another team will need to check what traffic was initiated from the devices and user accounts during the time of the breach. It is worth checking all outlook logs for affected users to see if any mails were sent or address books copied. It is also worth checking for any base64 encoded network data from the machines as this could indicate data exfiltration. All logs from affected users and devices should be scrutinized.
7. Put any affected devices or users under enhanced monitoring using SIEM for an extended period to ensure no further infection spread occurs.