Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Protect assets from ransomware, trojans, rootkits and more.
Intelligence and visibility across AWS, O365, DevOps and more.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
The eSentire Threat Intelligence team is aware of and tracking recent activity involving Emotet malware. While observations of the malware have declined since May 2019, researchers observed a new spam campaign delivering malicious documents associated with Emotet early on September 16th, 2019.
Detection and prevention capabilities in eSentire products have been tested for this threat. The eSentire Threat Intelligence team will continue to monitor and update internal Security Operations teams with relevant context and indicators.
What is Emotet?
According to US-CERT, “Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans”. Emotet has been observed delivering other payloads including ransomware.
What is the latest information on Emotet?
Emotet activity has declined significantly since May 2019. In recent weeks, researchers began observing changes to the malware’s Command & Control (C2) infrastructure. Early on Monday, September 16th, 2019 Cofense Labs noted that Emotet’s spam operations had resumed.
How is Emotet delivered?
Malwarebytes has observed emails containing the subject line “RE: Payment Remittance Advice” with a malicious Word document attached. The email body instructs the recipient to open the document which is disguised as a pay statement.
What does the malicious document look like?
Sandbox analysis of associated Word documents indicate the document prompts the user to update their license agreement by September 20th, 2019.
Screenshot of the malicious document can be seen below:
[image src="/assets/179ecc6759/image002.jpg" id="2424" width="538" height="284" class="leftAlone ss-htmleditorfield-file image" title="image002"]
When executed, WMI is used to spawn PowerShell, connect to the C2 host and install malware. This behavior is blocked by eSentire’s MED service and detected with esENDPOINT/esNETWORK.