Following efforts by law enforcement agencies worldwide to shut its operations down around early last year, Emotet came back online on Nov. 15, 2021, with only the subtlest of makeovers. It didn’t take long before this threat group was back up to its usual shenanigans of spamming victims, using malicious Microsoft® Word documents and links to infect users.
How Emotet and Trickbot Work Together
Since its reappearance, the notorious Emotet malware has been observed being dropped by the Trickbot malware family, in an apparent effort to reconstitute Emotet’s botnet base.
This isn’t the first time the two malware families have been seen colluding. Previously, Emotet was observed installing Trickbot on infected machines. It now would appear that Emotet has turned to its established business partner Trickbot for assistance in gaining back some of what was lost in the police action that dismantled Emotet’s global botnet network.
To see how BlackBerry prevents Emotet attacks from occurring, check out the following video, and watch BlackBerry go head-to-head with a live sample of Emotet.
Why is Emotet Important and Why Should I Be Concerned?
The Emotet group has historically used a combination of malicious office documents and URLs in its email campaigns to infect its victims. This gives it a wide reach in the business world as it can easily infect users who regularly use these kinds of documents in their day-to-day work life. Since its return, not that much has changed in the threat group’s use of these types of documents to spread chaos, as using spiked Office documents is still an easy and effective attack technique.
While there haven’t been any significant changes to the malware, or to the techniques it uses to infect new machines, it’s likely Emotet is now setting the stage for future actions. Based on that assumption, the threat actors behind Emotet will likely spend the coming months focused on reestablishing the malware, and growing by collecting infected machines to use for further spam campaigns.
It’s also entirely possible that future steps in Emotet’s onward march could include deploying ransomware or other malware families to the infected machines under its control.
Demo Video: BlackBerry Stops Emotet
The video above demonstrates the different countermeasures that BlackBerry® Cyber Suite provides to protect your environment against the newest version of the Emotet Trojan.
The Emotet group uses a combination of malicious office documents and URLs to infect its victims. As an example for our demo video, we have a sample of a malicious Emotet document.
Figure 1: Malicious Emotet document sample, with BlackBerry Optics set to ”Audit Only” mode
We have configured our machine by setting BlackBerry® Optics to “Audit-Only” mode to allow the Emotet macro to run. In the background, you can see that Emotet executes a heavily obfuscated PowerShell script that, once decoded, iterates through a list of malicious URLs to download the actual Emotet loader.
Figure 2: Emotet malicious payload detected in milliseconds by BlackBerry
Figure 3: BlackBerry Optics alert that a malicious exploit has been found
BlackBerry Optics is able to detect all the steps taken by this threat, from macro execution to the download of the actual loader, along with the encoded PowerShell script. Using “Focus” data from BlackBerry Optics, we can conduct even deeper root-cause analysis on each one of these stages.
Alternatively, we can enable an automated response, so that BlackBerry Optics stops this attack at its first stage.
Figure 4: BlackBerry Optics shows a deep dive into the threat, including actions taken by the threat, and the full event timeline
In addition to this, BlackBerry® Gateway can identify all of Emotet’s command-and-control (C2) communication attempts, and effectively prevent the malicious loader from being downloaded.
Figure 5: BlackBerry Gateway prevents Emotet's C2 communication
And last but not least, BlackBerry® Protect can prevent this attack in milliseconds, using either memory protection or script control to block the malware from executing in real time, so your endpoints and infrastructure stay Emotet-free.
Figure 6: BlackBerry Protect blocking Emotet in real time, pre-execution.
Our Prevention-First Philosophy
At BlackBerry, we take a prevention-first and AI-driven approach to cybersecurity. Putting prevention first neutralizes malware before the exploitation stage of the kill chain.
By stopping malware at this stage, BlackBerry solutions help organizations increase their resilience. This also helps to streamline security management, ensuring your business, people, and endpoints stay secure.
Prevention is possible, with BlackBerry.
About Hector Diaz
Senior Technical Marketing Manager at BlackBerry
Hector Diaz is a Senior Technical Marketing Manager for Latin America and the Caribbean at BlackBerry. Hector works with Engineering and Product Management to translate technology concepts into digestible pieces, evangelizing and educating people about Artificial Intelligence (AI) applied to cybersecurity.
With over 15 years of experience in cybersecurity, Hector is a respected professional who is in-demand at trade shows, partner training and customer engagements across Latin America and the Caribbean Region.
About The BlackBerry Research & Intelligence Team
The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.