Trojan.Emotet

detection icon

Short bio

Trojan.Emotet is Malwarebytes’ detection name for a banking Trojanthat can steal data, such as user credentials stored on the browser, by eavesdropping on network traffic. Due to its effective combination of persistence and network propagation, Trojan.Emotet is often used as a downloader for other malware, and is an especially popular delivery mechanism for banking Trojans, such as Qakbotand TrickBot.Compromised systems regularly contact Emotet’s Command and Control servers (C2) to retrieve updates and new payloads.

Type and source of infection

Trojan.Emotet is commonly spread by email, using infected attachments, as well as embedded URLs. These emails may appear to come from trusted sources, as Trojan.Emotet takes over the email accounts of its victims. This helps trick users into downloading the Trojan onto their machine.Once Trojan.Emotet has infected a networked machine, it will propagate by enumerating network resources and write to share drives, as well as brute force user accounts. Infected machines attempt to spread Emotet laterally via brute forcing of domain credentials, as well as externally via its built-in spam module. As a result, the Emotet botnet is quite active and responsible for much of the malspam we encounter.

Aftermath

Trojan.Emotet is changed often, and therefore hard to detect by signatures.Due to the way Emotet spreads through a company’s network, any infected machine on the network will re-infect machines that have been previously cleaned when they rejoin the network. Therefore, IT teams need to isolate, patch, and remediate each infected system one-by-one. Cleaning an affected network is a procedure that can take a long time—sometimes even months—depending on the number of machines involved.

Protection

Business and home users already using Malwarebytes are protected from Trojan.Emotet via our anti-exploit technology:Malwarebytes users are also protected from Emotet via our real-time protection module:

Business remediation

Malwarebytes can detect and remove Trojan.Emotet on business endpoints without further user interaction. But to be effective on networked machines, you must first follow these steps:

  1. Identify the infected machine(s).
  2. Disconnect the infected machines from the network.
  3. Patch for Eternal Blueas Emotet drops Trcikbot which uses Eternal Blue to propagate.
  4. Disable Administrative Shares.
  5. Remove the Emotet Trojan.
  6. Change account credentials.

Identifying the infected machinesIf you have unprotected endpoints/machines, you can run Farbar Recovery Scan Tool (FRST) to look for possible Indicators of Compromise (IOC). Besides verifying an infection, FRST can also be used to verify removal before bringing an endpoint/machine back into the network. Refer to Farbar Recovery Scan Tool instructionsfor details on how to install and run a FRST scan.Search the FRST.txt file for the following IOCs:

  • HKLMSYSTEMCURRENTCONTROLSETSERVICES1A345B7
  • HKLMSYSTEMCURRENTCONTROLSETSERVICES12C4567D
  • (Gornyk) C:WindowsSysWOW64servicedcom.exe
  • C:WINDOWS12345678.EXE
  • C:WINDOWSSYSWOW64SERVERNV.EXE
  • C:WINDOWSSYSWOW64NUMB3R2ANDL3373RS.EXE
  • C:WINDOWSTEMP1A2B.TMP

Disabling Administrative SharesWindows server shares by default install hidden share folders specifically for administrative access to other machines. The Admin$ shares are used by Emotet once it has brute forced the local administrator password. A file share sever has an IPC$ share that Emotet queries to get a list of all endpoints that connect to it. These AdminIP shares are normally protected via UAC, however, Windows will allow the local administrator through with no prompt.The most recent Emotet variants use C$ with the Admin credentials to move around and re-infect all the other endpoints.Repeated re-infections are an indication the worm was able to guess or brute force the administrator password successfully. Please change all local and domain administrator passwords.It is recommended to disable these Admin$ shares via the registry, as discussed here. If you do not see this registry key, it can be added manually and set up to be disabled.To remove the Emotet Trojan using Malwarebytes business products, follow the instructions below.

How to remove Emotet with Malwarebytes Endpoint Protection

  1. Go to the Malwarebytes Cloud console.
  2. To allow you to invoke a scan while the machine is off the network, go to SettingsPoliciesyour policyGeneral.
  3. Under Endpoint Interface Options, turn ON:
    1. Show Malwarebytes icon in notification area
    2. Allow users to run a Threat Scan (all threats will be quarantined automatically)
  4. Temporarily enable Anti-Rootkit scanning for all invoked threat scans.Go to SettingsPoliciesyour policyEndpoint ProtectionScan Options
  5. Set Scan Rootkitsto ON.
    MBEP prepare scan
  6. Once the endpoint has been updated with the latest policy changes:
    1. Take the client off the network
    2. From the system tray icon, run an Anti-Rootkit threat scan.
      MBEP start scan

If you have infected machines that are not registered endpoints in Malwarebytes Endpoint Protection, you can remove Emotet with our Breach Remediation tool (MBBR).For detailed instructions on how to remediate this infection using MBBR or Malwarebytes Endpoint Security (MBES), please have a look at our support document on how to protect your network from Emotet Trojan.

Home remediation

Malwarebytes can detect and remove Trojan.Emotet on home machines without further user interaction.On consumer systems that have been infected, you can follow these steps:

  1. Please download Malwarebytesto your desktop.
  2. Double-click MBSetup.exeand follow the prompts to install the program.
  3. When your Malwarebytes for Windowsinstallation completes, the program opens to the Welcome to Malwarebytes screen.
  4. Click on the Get started button.
  5. Click Scan to start a Threat Scan.
  6. Click Quarantineto remove the found threats.
  7. Reboot the system if prompted to complete the removal process.

It is recommended to change all passwords that could have been stolen from the affected system.

Traces/IOCs

You may see entries in FRST logs that are similar to these:

  • HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\1A345B7
  • HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\12C4567D
  • (Gornyk) C:\Windows\SysWOW64\servicedcom.exe
  • C:\WINDOWS\12345678.EXE
  • C:\WINDOWS\SYSWOW64\SERVERNV.EXE
  • C:\WINDOWS\SYSWOW64\NUMB3R2ANDL3373RS.EXE
  • C:\WINDOWS\TEMP\1A2B.TMP

Italized partswill have randomized names.General IOCsPersistenceC:\Windows\System32\randomnumber\C:\Windows\System32\tasks\randomnameC:\Windows\[randomname]C:\users[myusers]\appdata\roaming[random]%appdata%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup [Randomname].LNK. file in the startup folderRegistry keysHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services{Random Hexadecimal Numbers}HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run{Random Names} with value c:\users\admin\appdata\roaming\{Random}{Legitimate Filename}.exeFilename examplesPlayingonaHash.execertapp.exeCleanToast.exeCciAllow.exeRulerRuler.execonnectmrm.exeStrings (The following paths may be missing in some samples, they are not always there)C:\email.docC:\123\email.docC:\123\email.docxC:\a\foobar.bmpX:\Symbols\aC:\loaddll.exeC:\email.htmC:\take_screenshot.ps1C:\a\foobar.gifC:\a\foobar.docSubject Filters:”UPS Ship Notification, Tracking Number””UPS Express Domestic””Tracking Number *”A legitimate UPS tracking number contains eighteen alpha-numeric characters and starts with ‘1Z’ and ends with a check digit.