Emotet is a long established piece of malware that was originally developed as a banking Trojan. Since it’s invention, it has expanded it’s core targets beyond just financial institutions to enterprises, SMEs as well as government organisations, agencies and private individuals. Emotet has become so adept at bypassing detection technology, it’s now widely used by ransomware groups as “Malware as a service”. In late 2022, Emotet has emerged from a 4-month hiatus with a whole new campaign.
What you need to know
Forcepoint blogged about Emotet back in 2018, and since then, the core method of infection hasn’t changed much. Emotet relies upon loose or unconfigured macro policies within organisations to allow its macros to run.
Back in 2018, the attack vector was a Word 97 .DOC file, launching a Macro, which in turn launches a PowerShell script and finally launches a shell payload.
Over the course of the next four years, the core attack vector of Emotet hasn’t changed much. Emotet in late 2022 still uses macros as it’s central infiltration mechanism, but thanks to some enhanced security features, it relies upon some social engineering to coerce the user into dropping macros into a trusted folder where it can then be executed:
By moving a file to a trusted location, it bypasses all macro-related policies that are configured. So whilst this attack involves more social engineering, the attack vector creates a huge problem for enterprises. Most organisations have a mature macros policy, either they are disabled on all documents or only enabled for a subset of users. However, many of these organisations do not know about trusted locations at all, or if they do, they do not understand the potential implications of leaving the trusted location policy as default.
So, what can be done about it?
The obvious answer is for immediate protection would be to configure a trusted locations policy, whether that is a limited location employees cannot configure or disabled completely. However, this does not solve the underlying issue, which as we have seen with the longevity of the Emotet Trojan, macros are a huge attack vector for any organisation. Rather than configuring policy and waiting for the next bypass/attack vector to come along, look for a permanent solution that will simply clean all documents as they enter the organisation.
Forcepoint’s Zero Trust CDR can plug in on the email flow and clean documents to make sure that no document contains macros or any other document based malware, whilst still ensuring that “power users” who may need to receive those macros can do so. Forcepoint's Zero Trust CDR ensures the perfect security whilst not compromising upon user experience.
Read our whitepaper on Zero Trust CDR for Mail solution for more.