Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
As of November 15th, 2021, multiple sources [1] [2] have observed activity associated with the Emotet malware. This activity includes malware delivery through email and existing infections.
Successful Emotet payload execution has not been observed across customers at this time. The Threat Intelligence team assesses with medium confidence current campaigns are focused on re-establishing botnet infrastructure following law enforcement's action to take down the botnet in January 2021[3]. Email delivery techniques and payload execution remain consistent or similar to past Emotet infections. The eSentire Threat Intelligence team assesses, with medium confidence, Emotet’s email campaigns will continue.
What we’re doing about it
eSentire MDR for Network and Endpoint have rules in place to detect Emotet.
IP addresses associated with Emotet have been blocked via MDR for Network.
Threat hunting has been performed for all eSentire MDR for Endpoint customers.
eSentire security teams are tracking this threat for additional detection and prevention opportunities.
What you should do about it
Employ email filtering and protection measures
Block or quarantine email attachments such as EXEs, Password Protected Zip archives, JavaScript, Visual Basic scripts.
Implement anti-spoofing measures such as DMARC and SPF.
Employ an MFA solution to reduce impact of compromised credentials.
Train users to identify and report suspicious emails, including from trusted contacts.
Protect endpoints against malware
Ensure antivirus signatures are up-to-date.
Use a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) product to detect and contain threats.
Limit or disable macros across the organization. See UK's National Cyber Centre guidance on Macro Security
Additional information
Emotet is an information stealer malware that is also used for initial access by multiple threats such as Qakbot and Trickbot. Emotet has been previously observed leading to Ryuk, Conti, ProLock, and Egregor ransomware threats.
As of this writing, follow-on malware has not been observed in these latest campaigns. Emotet activity halted in early 2021, after law-enforcement acted against the Emotet threat and seized malicious infrastructure. Recent activity is believed to be focused on re-establishing botnet hosts.
Overview of November 15th to 17th 2021 Emotet Activity
Distribution
Existing Trickbot Infections.
Mass email delivery.
Emotet Email Content
Spoofed replies to stolen email threads (email thread hijacking).
Excel (.xlsm) attachments.
Word (.docm) attachments.
Password protected Zip archives containing malicious office documents.
Links to malicious office documents.
Malicious Office Documents
Use of standard lures to entice recipients to enable macros (see images below).
Successful macros execution results in PowerShell commands to retrieve and execute payloads via rundll32.exe.
No secondary payloads have been observed as of time of writing.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
