Bouncing Back
Emotet is a sophisticated, self-seeding, multi-purpose piece of malware with a highly modular structure. Originally conceived as a banking trojan, it is now often used as a distribution channel for different types of malware. Indeed, what started as a specific piece of malware has now morphed into a highly successful criminal enterprise that is regularly used to deliver information stealers, Trojans, and ransomware.
In January 2021, a joint law enforcement initiative spear-headed by Europol took control of Emotet’s infrastructure and dismantled it, but now it’s bouncing back.
Evading Detection
One of the secrets to Emotet’s longevity is that it consistently evades detection-based defences. A good indicator of the effectiveness of a piece of malware, is to run it by a website that hosts many of the major anti-malware technologies on the market and see how it fares in evading detection. When Forcepoint researchers did this with a sample of Emotet, comprising a malicious macro embedded inside a Word 97 .doc file, around 75% of the anti-malware technologies on the site correctly identified it as a threat.
Unfortunately, making the slightest change to the Emotet sample saw the success rate plummet. Adding a simple comment line to the macro script saw the percentage of anti-malware technologies correctly identifying the sample as malicious falls to 34%. Taking the modified version and copying and pasting it into a different Word document with different body content saw the success rate fall to 20%.
The changes are trivial, but they highlight a problem. Detection-based defences struggle to keep pace with threats like Emotet. So, what’s to be done?
Combatting the Threat
Emotet is typically concealed in Microsoft Word documents and delivered as attachments masquerading as anything from invoices and shipping notices to Covid 19 updates. To combat this, it’s important to ensure detection-based anti-virus defences are kept up to date and to educate users to the risk of attack. But more is needed.
Forcepoint has developed a zero-trust approach to the problem of malware concealed in everyday business files such as Office documents, PDFs and images. Forcepoint Zero Trust CDR (Content Disarm and Reconstruction) works on the premise that because you cannot be certain whether you have or haven’t detected the presence of something like Emotet in an email attachment, the only sensible approach is not to trust any attachment, but to make all attachments safe by transforming them.
The transformation process involves extracting the useful business information from a document, discarding the original (along with any active content, malformed structures or un-necessary features) and creating a new one with the information in it to give to the user. This Zero Trust CDR approach delivers threat-free attachments because none of the original digital file is ever delivered to the endpoint.
Zero Trust CDR and Emotet
Emotet is here to stay. The best way to mitigate the threat is to prevent it from entering your organisation in the first place. Although detection-based virus scanners can help, criminals are increasingly finding ways to evade detection. Combatting this problem requires additional defences that offer advanced protection, transforming incoming files to remove any threats and make them safe.
Forcepoint Zero Trust CDR for Mail, can be added into the existing cybersecurity boundary, running on the corporate side of an existing Email Security Gateway. Inbound emails are routed from the Email Security Gateway to Zero Trust CDR for Mail server where the messages and attachments are transformed to ensure they are threat-free before onward delivery to the corporate mail server.