Trojan.Emotet.Generic

Short bio

Trojan.Emotet.Generic is Malwarebytes' generic detection name for a banking Trojan that can steal data, such as user credentials stored on the browser, by eavesdropping on network traffic. Due to its effective combination of persistence and network propagation, Trojan.Emotet.Generic is often used as a downloader for other malware, and is an especially popular delivery mechanism for banking Trojans, such as Qakbot and TrickBot.

Type and source of infection

Trojan.Emotet.Generic is commonly spread by email, using infected attachments, as well as embedded URLs. These emails may appear to come from trusted sources, as Trojan.Emotet takes over the email accounts of its victims. This helps trick users into downloading the Trojan onto their machine.

Once Trojan.Emotet.Generic has infected a networked machine, it will propagate by enumerating network resources and write to share drives, as well as brute force user accounts. Infected machines attempt to spread Emotet laterally via brute forcing of domain credentials, as well as externally via its built-in spam module. As a result, the Emotet botnet is quite active and responsible for much of the malspam we encounter.

Aftermath

Trojan.Emotet.Generic is changed regularly, and therefore hard to detect by signatures.

Due to the way Emotet spreads through a company’s network, any infected machine on the network will re-infect machines that have been previously cleaned when they rejoin the network. Therefore, IT teams need to isolate, patch, and remediate each infected system one-by-one. Cleaning an affected network is a procedure that can take a long time—sometimes even months—depending on the number of machines involved.

Protection

Business and home users already using Malwarebytes are protected from Trojan.Emotet.Generic via our anti-exploit technology:

Malwarebytes users are also protected from Emotet via our real-time protection module:

Business remediation

Malwarebytes can detect and remove Trojan.Emotet.Generic on business endpoints without further user interaction. But to be effective on networked machines, you must first follow these steps:

1. Identify the infected machine(s).
2. Disconnect the infected machines from the network.
3. Patch for Eternal Blue as Emotet drops Trcikbot which uses Eternal Blue to propagate.
4. Disable Administrative Shares.
5. Remove the Emotet Trojan.
6. Change account credentials.

If you have unprotected endpoints/machines, you can run Farbar Recovery Scan Tool (FRST) to look for possible Indicators of Compromise (IOC). Besides verifying an infection, FRST can also be used to verify removal before bringing an endpoint/machine back into the network. Refer to Farbar Recovery Scan Tool instructions for details on how to install and run a FRST scan.

Search the FRST.txt file for the following IOCs:

• HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\1A345B7
• HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\12C4567D
• (Gornyk) C:\Windows\SysWOW64\servicedcom.exe
• C:\WINDOWS\12345678.EXE
• C:\WINDOWS\SYSWOW64\SERVERNV.EXE
• C:\WINDOWS\SYSWOW64\NUMB3R2ANDL3373RS.EXE
• C:\WINDOWS\TEMP\1A2B.TMP

Windows server shares by default install hidden share folders specifically for administrative access to other machines. The Admin$ shares are used by Emotet once it has brute forced the local administrator password. A file share sever has an IPC$ share that Emotet queries to get a list of all endpoints that connect to it. These AdminIP shares are normally protected via UAC, however, Windows will allow the local administrator through with no prompt.

The most recent Emotet variants use C$ with the Admin credentials to move around and re-infect all the other endpoints.

Repeated re-infections are an indication the worm was able to guess or brute force the administrator password successfully. Please change all local and domain administrator passwords.

It is recommended to disable these Admin$ shares via the registry, as discussed here. If you do not see this registry key, it can be added manually and set up to be disabled.

To remove the Emotet Trojan using Malwarebytes business products, follow the instructions below.

How to remove Emotet with Malwarebytes Endpoint Protection

1. Go to the Malwarebytes Cloud console.
2. To allow you to invoke a scan while the machine is off the network, go to Settings > Policies > your policy > General.
3. Under Endpoint Interface Options, turn ON:
   1. Show Malwarebytes icon in notification area
   2. Allow users to run a Threat Scan (all threats will be quarantined automatically)
4. Temporarily enable Anti-Rootkit scanning for all invoked threat scans. Go to Settings > Policies > your policy > Endpoint Protection > Scan Options
5. Set Scan Rootkits to ON.
6. Once the endpoint has been updated with the latest policy changes:
   1. Take the client off the network
   2. From the system tray icon, run an Anti-Rootkit threat scan.

For detailed instructions on how to remediate this infection using MBBR or Malwarebytes Endpoint Security (MBES), please have a look at our support document on how to protect your network from Emotet Trojan.

Home remediation

Malwarebytes can detect and remove Trojan.Emotet.Generic on home machines without further user interaction.

On consumer systems that have been infected, you can follow these steps:

1. Please download Malwarebytes to your desktop.
2. Double-click MBSetup.exe and follow the prompts to install the program.
3. When your Malwarebytes for Windows installation completes, the program opens to the Welcome to Malwarebytes screen.
4. Click on the Get started button.
5. Click Scan to start a Threat Scan.
6. Click Quarantine to remove the found threats.
7. Reboot the system if prompted to complete the removal process.