Trojan.Emotet

Short bio

Trojan.Emotet is Malwarebytes’ detection name for a banking Trojan that can steal data, such as user credentials stored on the browser, by eavesdropping on network traffic. Due to its effective combination of persistence and network propagation, Trojan.Emotet is often used as a downloader for other malware, and is an especially popular delivery mechanism for banking Trojans, such as Qakbot and TrickBot.

Compromised systems regularly contact Emotet’s Command and Control servers (C2) to retrieve updates and new payloads.

Type and source of infection

Trojan.Emotet is commonly spread by email, using infected attachments, as well as embedded URLs. These emails may appear to come from trusted sources, as Trojan.Emotet takes over the email accounts of its victims. This helps trick users into downloading the Trojan onto their machine.

Once Trojan.Emotet has infected a networked machine, it will propagate using the EternalBlue vulnerability to exploit unpatched systems. Infected machines attempt to spread Emotet laterally via brute forcing of domain credentials, as well as externally via its built-in spam module. As a result, the Emotet botnet is quite active and responsible for much of the malspam we encounter.

Aftermath

Trojan.Emotet is polymorphic, and therefore hard to detect by signatures.

Due to the way Emotet spreads through a company’s network, any infected machine on the network will re-infect machines that have been previously cleaned when they rejoin the network. Therefore, IT teams need to isolate, patch, and remediate each infected system one-by-one. Cleaning an affected network is a procedure that can take a long time—sometimes even months—depending on the number of machines involved.

Protection

Business and home users already using Malwarebytes are protected from Trojan.Emotet via our anti-exploit technology:

anti-exploit

Malwarebytes users are also protected from Emotet via our real-time protection module:

block Trojan.Emotet

Business remediation

Malwarebytes can detect and remove Trojan.Emotet on business endpoints without further user interaction. But to be effective on networked machines, you must first follow these steps:

  1. Identify the infected machine(s).
  2. Disconnect the infected machines from the network.
  3. Patch for Eternal Blue.
  4. Disable Administrative Shares.
  5. Remove the Emotet Trojan.
  6. Change account credentials.

Identifying the infected machines

If you have unprotected endpoints/machines, you can run Farbar Recovery Scan Tool (FRST) to look for possible Indicators of Compromise (IOC). Besides verifying an infection, FRST can also be used to verify removal before bringing an endpoint/machine back into the network. Refer to Farbar Recovery Scan Tool instructions for details on how to install and run a FRST scan.

Search the FRST.txt file for the following IOCs:

  • HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\1A345B7
  • HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\12C4567D
  • (Gornyk) C:\Windows\SysWOW64\servicedcom.exe
  • C:\WINDOWS\12345678.EXE
  • C:\WINDOWS\SYSWOW64\SERVERNV.EXE
  • C:\WINDOWS\SYSWOW64\NUMB3R2ANDL3373RS.EXE
  • C:\WINDOWS\TEMP\1A2B.TMP

Disabling Administrative Shares

Windows server shares by default install hidden share folders specifically for administrative access to other machines. The Admin$ shares are used by Emotet once it has brute forced the local administrator password. A file share sever has an IPC$ share that Emotet queries to get a list of all endpoints that connect to it. These AdminIP shares are normally protected via UAC, however, Windows will allow the local administrator through with no prompt.

The most recent Emotet variants use C$ with the Admin credentials to move around and re-infect all the other endpoints.

Repeated re-infections are an indication the worm was able to guess or brute force the administrator password successfully. Please change all local and domain administrator passwords.

It is recommended to disable these Admin$ shares via the registry, as discussed here. If you do not see this registry key, it can be added manually and set up to be disabled.

To remove the Emotet Trojan using Malwarebytes business products, follow the instructions below.

How to remove Emotet with Malwarebytes Endpoint Protection

  1. Go to the Malwarebytes Cloud console.
  2. To allow you to invoke a scan while the machine is off the network, go to Settings > Policies > your policy > General.
  3. Under Endpoint Interface Options, turn ON:
    1. Show Malwarebytes icon in notification area
    2. Allow users to run a Threat Scan (all threats will be quarantined automatically)
  4. Temporarily enable Anti-Rootkit scanning for all invoked threat scans.
    Go to Settings > Policies > your policy > Endpoint Protection > Scan Options
  5. Set Scan Rootkits to ON.
    MBEP prepare scan
  6. Once the endpoint has been updated with the latest policy changes:
    1. Take the client off the network
    2. From the system tray icon, run an Anti-Rootkit threat scan.
      MBEP start scan

If you have infected machines that are not registered endpoints in Malwarebytes Endpoint Protection, you can remove Emotet with our Breach Remediation tool (MBBR).

For detailed instructions on how to remediate this infection using MBBR or Malwarebytes Endpoint Security (MBES), please have a look at our support document on how to protect your network from Emotet Trojan.

Home remediation

Malwarebytes can detect and remove Trojan.Emotet on home machines without further user interaction.

On consumer systems that have been infected, you can follow these steps:

  1. Please download Malwarebytes to your desktop.
  2. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  3. Then click Finish.
  4. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  5. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  6. When the scan is complete, make sure that All Threats are selected, and click Remove Selected.
  7. Restart your computer when prompted to do so.

It is recommended to change all passwords that could have been stolen from the affected system.

Traces/IOCs

You may see entries in FRST logs that are similar to these:

  • HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\1A345B7
  • HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\12C4567D
  • (Gornyk) C:\Windows\SysWOW64\servicedcom.exe
  • C:\WINDOWS\12345678.EXE
  • C:\WINDOWS\SYSWOW64\SERVERNV.EXE
  • C:\WINDOWS\SYSWOW64\NUMB3R2ANDL3373RS.EXE
  • C:\WINDOWS\TEMP\1A2B.TMP

Italized parts will have randomized names.

General IOCs

Persistence

C:\Windows\System32\randomnumber\
C:\Windows\System32\tasks\randomname
C:\Windows\[randomname]
C:\users[myusers]\appdata\roaming[random]
%appdata%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup [Randomname].LNK. file in the startup folder

Registry keys

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services {Random Hexadecimal Numbers}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {Random Names} with value c:\users\admin\appdata\roaming\{Random}{Legitimate Filename}.exe

Filename examples

PlayingonaHash.exe
certapp.exe
CleanToast.exe
CciAllow.exe
RulerRuler.exe
connectmrm.exe

Strings (The following paths may be missing in some samples, they are not always there)

C:\email.doc
C:\123\email.doc
C:\123\email.docx
C:\a\foobar.bmp
X:\Symbols\a
C:\loaddll.exe
C:\email.htm
C:\take_screenshot.ps1
C:\a\foobar.gif
C:\a\foobar.doc

Subject Filters:

“UPS Ship Notification, Tracking Number”
“UPS Express Domestic”
“Tracking Number *”

A legitimate UPS tracking number contains eighteen alpha-numeric characters and starts with ‘1Z’ and ends with a check digit.

Cybersecurity info you can’t do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Select your language