Emotet is back, and it’s after your passwords!

Shimrit Tzur-David | November 22, 2020

Just when we thought 2020 couldn’t get any worse, the U.S. Department of Homeland Security (DHS) declared that Emotet, a strain of malware (and a cybercrime operation allegedly directed by Russian hackers) that has existed since 2014, has seen a resurgence of activity. DHS describes Emotet as “one of the most prevalent ongoing threats” that is targeting various organizations, especially “state and local governments.” 

DHS describes Emotet as “a sophisticated Trojan commonly functioning as a downloader or dropper of other malware,” and in a lengthy and very technical post, it describes how the malware operates and how cybercriminals use it to prey on their victims. Despite all its sophisticated methods, however, Emotet still relies on one thing that has chronically haunted IT and security staff across organizations and governments: poor and unprotected passwords.

In this post, we will look at how Emotet works, how it exploits weak authentication methods and password policies, and how you can protect your organization against this growing threat in these sensitive times (tl;dr: get rid of those damn passwords!).

 What is Emotet?

In all honesty, Emotet is a very advanced Trojan. It uses a host of techniques and exploits an array of known vulnerabilities to spread across networks and drop malicious payloads on computers. Once installed, the malware extracts sensitive information such as banking credentials and passwords to important administrative accounts and sends them to the command and control servers of cybercriminals, who use them to steal money or gain access to other vital resources.

“Emotet is difficult to combat because of its ‘worm-like’ features that enable network-wide infections. Additionally, Emotet uses modular Dynamic Link Libraries to continuously evolve and update its capabilities,” the DHS wrote.

Emotet’s best-known point-of-entry attack vector is social engineering: Attackers target their victims with phishing of spear-phishing emails with MS Word documents or ZIP archives that contain the malicious code. To trick their targets to open the malicious files, the attackers might attach the malware-infected files to messages they insert in hijacked email threads or prompt users to enable macros in Word to view special content.

How Emotet steals your password?

Once Emotet infects a computer, it performs several operations. While an exhaustive list of all of Emotet’s functions is beyond this post, there are some key things about how Emotet obtains passwords from infected computers:

  •   The malware uses password-grabber modules like Mimikatz to steal credentials. Mimikatz accesses the process memory of the infected computer’s operating system and scans it for credentials such as the logged-on user’s domain password.
  •   Emotet uses brute-force password-guessing to obtain the local administrator password.
  •   Emotet actively scans the infected computer’s hard drive and network drives and shared folders for files that contain usernames and passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. Emotet might also extract passwords from online backup files or snapshots of virtual machines stored on the infected computer.
  •   Emotet steals passwords stored in browsers. Most browsers support storing your credentials to save you the pain of typing in your username and password every time you want to log into a website. They store the credentials in an encrypted file on your local hard disk. When Emotet obtains your login password (see how it does in the earlier points), it is able to decrypt this file and steal the credentials of your online accounts. Since users have the bad habit of reusing passwords across different services, it can then try the same username and password on different platforms to hijack even more accounts.

How Emotet evades detection and spreads the infection

So clearly, Emotet is hot after your passwords, which is obvious because they are the key to your more valuable digital assets. With such a wide array of malicious behavior, how does it manage to evade antimalware tools and other endpoint security solutions?

First, Emotet is a fileless malware, which means it does not have a binary executable that can be detected by antivirus tools. It uses macro scripts and legitimate operating system tools to directly load its malicious payload into system memory, where it is much harder for security tools to detect and intercept it. Also, it is a polymorphic malware: it is constantly changing form, which makes it very difficult for anti-virus tools to define and find its digital fingerprint. 

Another thing that makes Emotet dangerous is its pervasive nature. The malware uses various methods to spread to as many users and computers as possible. If the malware is able to obtain the credentials of the logged-on user, it will then use this password to access network resources on the user’s behalf. Of particular interest are shared folders (SMB), which the malware can use to spread the infection to other computers on the corporate network. If it successfully gets administrator passwords, it uses the higher privileges to access even more sensitive resources like hidden network shares such as C$ and ADMIN$. This will give it even bigger leverage to spread the infection at the system level. 

The Emotet operation is also known to spoof email addresses and use active email chains to create specialized phishing attacks and trick unsuspecting victims into downloading and running the malicious attachments.

How to protect yourself against Emotet

Naturally, every discovered and reported threat prompts security vendors to update their solutions and protect their clients. So, many of the things contained in the DHS report might probably be patched and covered by the time you read this post.

But it’s not what we know about Emotet that is frightening and dangerous? It’s what we don’t. The cybersecurity landscape is constantly evolving, and so are threat actors. They will continue to enhance their methods and find new ways to circumvent anti-malware and online protection tools. The one thing, however, that remains constant in their modus operandi is going for the low-hanging fruit. And that low-hanging fruit, at the moment, is password-based authentication.

As you saw in the details above, much of Emotet’s functions rely on cracking through passwords and gaining access to privileges and resources to expand their attacks. As long as your digital infrastructure and accounts are protected by passwords—no matter how strong they are—there will always be an opportunity for attackers to break through your front door instead of searching for complicated zero-day access to your network. So, the first step toward protecting your organization and your users against developing threats such as Emotet is to eliminate passwords altogether. And fortunately, there are now many ways to transition your company to passwordless authentication. A quick look at Emotet and other similar strains of malware shows that with a passwordless solution, many of the attack vectors they use will be neutralized when they have no passwords to steal.