The omnipresent threat of spam/phishing mails takes on a new dimension. “Emotet” combines the method of spam distribution “Spear-Phishing with methods of social engineering” with dangerous malware (Advanced Persisten Threads APT).
After a target system is infected, Emotet is able to read the victim’s Outlook address book and distribute itself via Spear-Phishing. Recently, it also reads the victim’s emails (Outlook harvesting) and uses the content to generate authentic-looking Spear-Phishing emails (social engineering). It then sends itself to the saved contacts on behalf of the victim via the victim’s real e-mail address.
In addition, Emotet is able to load further malware according to the attacker’s needs and intentions, thereby constantly changing itself. So far, the banking trojans “Trickbot” and “Quakbot” have been observed in particular, but not only. These can spread independently from an infected computer as a “worm” within the infected network, even without the further sending of spam mails.
Due to constant modifications, the malware is usually not detected at first by common virus protection programs and makes far-reaching changes to infected systems.
A single infected computer can thus infect and paralyze the entire network of an organization. Several such incidents have already become publicly known, for example the University of Gießen. This is especially dangerous for environments that use centralized Windows systems.
Infected systems must therefore be immediately disconnected from the network by pulling the network plug and must always be regarded as completely compromised. They must therefore be completely re-build. Never log on to an infected computer as administrator, as the worm can then spread further with your administrator rights.
The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) asks for reports of all incidents and recommends that you file a criminal complaint with the police. Please do not do this yourself, but inform us via mailto:firstname.lastname@example.org or via the IT Service Desk.
- Background article in the c’t: https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html
- further information from DFN-CERT with hints and tips: https://www.dfn-cert.de/aktuell/emotet-beschreibung.html
With the help of a small program of the Japan-CERT called “EmoCheck” you can in some cases determine whether a computer is infected or not. More details can be found at Heise:
A found infection is to be taken seriously in any case, but the tool cannot detect all variants – so a negative result is not an all-clear.
What should I do if IT systems in my organization are already infected?
- Potentially infected systems should be isolated from the network immediately to prevent further spread of the malware in the network by lateral movement. To do this, pull the network cable (LAN). Do not shut down or switch off the device, in particular do not pull the power cord (electricity). If necessary, create a forensic backup including a memory image for later analysis (by service providers or law enforcement agencies).
- Under no circumstances should a logon with privileged user accounts be performed on a potentially infected system while it is still on the productive network.
- The downloaded malware is often not detected by AV software (in the first few hours after spreading). The malicious programs sometimes make far-reaching (security-relevant) changes to the infected system that cannot be easily reversed. The BSI therefore generally recommends that infected systems be regarded as completely compromised and reinstalled.
- All access data stored on affected systems (for example in the web browser) or entered after infection should be considered compromised and passwords should be changed.
- Crisis communication should not run via compromised internal e-mail, but via external addresses (if possible encrypted, e.g. using PGP). Otherwise attackers can directly see that they have been discovered.
- Report the incident – anonymously if necessary – to the BSI. This information is essential for a clear picture of the IT situation and for the BSI to be able to issue early warnings to those potentially affected later. Do not do this yourself, but inform us via the IT service desk or at mailto:email@example.com!
- Press criminal charges. To do so, contact the Central Cybercrime Contact Point (Zentrale Ansprechstelle für Cybercrime, ZAC) in your state. Do not do this yourself, but inform us via the IT service desk or at mailto:firstname.lastname@example.org!
- Employee communication must be considered. On the one hand to inform about the reasons for the “standstill” as well as about a possible private concern of employees, if the private use of the workplace is allowed and passwords and account data etc. were used there (and probably ran off) – on the other hand to sensitize for the new start including the necessary information.
- Proactive information of business partners/customers about the incident with reference to possible future attack attempts via e-mail with sender addresses of the affected organization. Sharing is caring!