Protect your network from Emotet Trojan with Malwarebytes Endpoint Security

Document created by asmith Employee on Dec 22, 2017Last modified by jyamada on Jan 23, 2019
Version 9Show Document
  • View in full screen mode

Emotet is a banking Trojan that can steal data by eavesdropping on your network traffic. Its goal is to steal user credentials. Emotet is commonly spread by email, both using infected attachments as well as by embedded URLs in the email that download this Trojan.

 

Due to the way Emotet spreads through your network, any infected machine on the network will re-infect machines which have been previously cleaned when they rejoin the network. 

 

Image of Emotet Network Infection Overview.

 

Malwarebytes products help to protect you from Emotet. 

If you have Malwarebytes Endpoint Protection or Malwarebytes Endpoint Security installed on all endpoints/machines that are connected to your network, you are protected.

 

If a protected endpoint encounters one of the following real-time protection notifications, it may be an indication there is an infected machine on your network. 

 

 

 

 

You will need to:

  • Change account credentials
  • Detect infected Emotet machines
  • Patch for Eternal Blue exploit
  • Disable Administrative Shares
  • Schedule scans
  • Remove the Emotet infection

 

Change account credentials

It is essential to change account credentials for all user accounts on infected machines to stop propagation. If you have an active directory (AD) domain, change the account’s credentials as well as all local administrator account credentials from a known clean computer. Emotet cannot propagate without an admin password.

 

Detect infected Emotet machines

If you have unprotected endpoints/machines, you can run Farbar Recovery Scan Tool (FRST) to look for possible Indicators of Compromise (IOC). Besides verifying an infection, FRST can be used to verify removal before bringing an endpoint/machine back into the network. Refer to following article for details on how to install and run a FRST scan, Farbar Recovery Scan Tool instructions.

 

Search the FRST.txt file for the following Indicators of Compromise:

  • HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\1A345B7
  • HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\12C4567D
  • (Gornyk) C:\Windows\SysWOW64\servicedcom.exe
  • C:\WINDOWS\12345678.EXE
  • C:\WINDOWS\SYSWOW64\SERVERNV.EXE
  • C:\WINDOWS\SYSWOW64\NUMB3R2ANDL3373RS.EXE
  • C:\WINDOWS\TEMP\1A2B.TMP

 

In the IOC examples shown above, the blue characters represent random numbers and letters that Emotet generates to disguise itself from anti-virus programs that rely on signature-based security.

 

Patch for Eternal Blue exploit

Emotet relies on the Eternal Blue vulnerability in order to attack and infect endpoints. Refer to the Microsoft article Microsoft Security Bulletin MS17-010 - Critical | Microsoft Docs for how to install the patches to stop the Eternal Blue vulnerability on your machines.

 

Disable Administrative Shares

Windows server shares by default install hidden share folders specifically for administrative access to other machines. The Admin$ shares are used by the Emotet worm once it has brute forced the local administrator password.  A file share sever has an IPC$ share that Emotet queries to get a list of all endpoints that connect to it. These Admin$ shares are normally protected via UAC, however Windows will allow the local administrator through with no prompt.  Emotet variants most recently seen then use C$ with the Admin credentials to move around and re-infect all the other endpoints.

 

Repeated reinfections are an indication the worm was able to guess or brute force the administrator password successfully.  Please change all local and domain administrator passwords, see guidance in the Additional Information at the bottom of this article.

 

It is recommended to disable these Admin$ shares via the registry as discussed here. If you do not see this registry key, it can be added manually and set up to be disabled.

 

Schedule Scans

We recommend creating a scheduled scan in your management console for at least 4 times per day when dealing with an outbreak of Emotet. This ensures that we can keep track of scan history. Our objective is to not only detect and remove, but also get 0 results scans afterwards to ensure the worm is not propagating back onto your endpoints.

 

Remove Emotet infection with Malwarebytes Endpoint Security

You can use Malwarebytes Anti-Malware v1.80, which is included in your Malwarebytes Endpoint Security deployment to scan and remove Emotet.

 

Option 1

  1. Remove the infected endpoint from the network.
  2. On the infected machine, right click the system tray icon and click on Start Scanner.


  3. Select Perform full scan.


  4. Click on Scan button.

 

Option 2

  1. Open CMD
  2. CD to C:\Program Files (x86)\Malwarebytes’ Anti-Malware
  3. Run mbamapi /scan –full –remove -reboot

 

It is recommended to follow the Anti-Malware scan with an Anti-Rootkit tool scan. 

  1. From a safe computer, download the Anti-Rootkit tool.
    For detailed instructions, refer to KB article How do I use Malwarebytes Anti-Rookit?
  2. Once Anti-Rootkit is updated (steps 1 – 4), copy it to a flash drive.
  3. Go to an infected machine which has been scanned/cleaned with Anti-Malware and is still off the network.
  4. Copy the Anti-Rootkit files from the flash drive to the machine.
  5. Turn off Anti-Malware. Right click the Anti-Malware system tray icon and select Exit.
  6. Run the Anti-Rootkit program to scan for threats. Refer to How do I use Malwarebytes Anti-Rookit? steps 5 – 12 for instructions.

 

Additional Information

Attachments

    Outcomes