Emotet is most commonly spread via malicious emails containing Microsoft Office attachments, usually Microsoft Word (.doc, .docx) documents. There have also been reports of PDF attachments containing Emotet.
These attached files contain macros that download and install the Emotet malware when opened. Emotet can also be spread via embedded URLs in malicious emails. The ACSC has received reports of Emotet being spread through both untargeted bulk spam emails, as well as what appear to be highly targeted spear-phishing emails.
Upon infection of a machine, Emotet attempts to spread within a network by brute-forcing user credentials, and writing to shared drives. Emotet often downloads a secondary malware, called Trickbot, onto infected machines.
Trickbot is a modular multi-purpose command-and-control (C2) tool that allows an attacker to harvest emails and credentials, move laterally within a network using exploits like EternalBlue, and deploy additional malware to the infected network.
The ACSC is aware of a number of Emotet/Trickbot infections leading to ransomware attacks, most notably a recent attack on the Victorian health sector using the Ryuk ransomware variant.
Attacks against Australian businesses and organisations are ongoing and pose a significant risk to Australian entities.
Recommendations
The ACSC recommends organisations consider the following actions:
Implement Essential Eight security controls
The Centre recommends the implementation of the ASD Essential Eight mitigations to mitigate threats to ICT systems. Specifically, to combat the threat of Emotet to ICT systems, agencies should implement the following mitigations.
Configure Microsoft Office macro settings
In most cases, Emotet’s initial infection of a network was via an embedded macro in a Microsoft Office or PDF document. Implementing this security control will assist in reducing the likelihood of initial access via this method.
The Centre recommends organisations review the use of macros within their environments, reviewing Microsoft Office Macro Security. Where possible, the Centre recommends blocking macros from the internet and only allow macro’s to execute from trusted locations where write access is limited to personnel whose role is to vet and approve macros.
Patch operating systems
Maintaining a regular patch process (as detailed in Assessing Security Vulnerabilities and Applying Patches) restricts the availability of exploits that Emotet can use to move laterally within a network, limiting the number of hosts impacted by a successful infection.
Daily backups
The Centre recommends maintaining isolated offline backups of your network to allow recovery in the event of widespread Emotet infection or the deployment of ransomware.
Implement additional security controls
The ACSC publishes a comprehensive list of Strategies to Mitigate Cyber Security Incidents. To specifically combat the threat of Emotet to ICT systems, agencies should implement the following mitigations.
Email content scanning
Emotet is most commonly spread via emails containing malicious attachments. Email content filters and dynamic email analysis sandboxing capabilities could be put in place to prevent malicious content from reaching users and reduce the likelihood of compromise. To complement this, antivirus software using heuristics and reputation ratings should also be installed to identify and prevent malicious attachments that do make it to end users.
Network segmentation
Emotet and Trickbot have techniques that can be used to move laterally within an organisation's network. Organisations should partition networks into smaller sections in order to separate and segregate communications between specific hosts and services. Appropriate segmentation and segregation will limit the extent that a successful Emotet infection has on a network.
More details on considerations and techniques to perform network segmentation and segregation can be found in Implementing Network Segmentation and Segregation.
Update security appliances and scan for malicious indicators
Apply the latest Indicators of Compromise (IOCs) to your organisation’s gateway and firewalls for both inbound and outbound traffic. If possible, add and scan for indicators on systems in organisations using antivirus or host based security tools.
Develop a plan
Create a response plan to allow your organisation to respond in the event of an Emotet or ransomware infection. Most importantly, affected machines/networks should be immediately quarantined and disconnected from the internet.
Alert and educate staff
Consider sending out an organisation-wide alert to raise awareness of the dangers associated with opening attachments on unusual emails. Consider implementing an education program to improve staff awareness of cyber security, or how to spot suspicious emails. For more details on how to implement a successful staff awareness program, see Improving Staff Awareness.
Incident reporting
If you have questions about this advice or have indications that your environment has been compromised, contact the ACSC via 1300 CYBER1 (1300 292 371).
Indicators of Compromise (IoCs) reported to the ACSC
The attached table is a list of the MD5's associated with the Emotet dropper.