Latest Emotet surge
In September, Emotet staged another big comeback fuelled, in part, by new propagation methods implemented in the newest variants. It can now also spread through networks by brute forcing Active Directory domain accounts with a dictionary attack and by using the EternalBlue exploit / DoublePulsar backdoor combo.
Other improvements meant to keep its existence secret once it compromises an endpoint include encrypted C&C communication, a new C&C communication protocol, and code obfuscation.
Finally, the most recent variants (Oct-Nov 2017) are highly effective at bypassing anti-virus products and hiding from sandboxes.
How to stop Emotet malware
The malware looks for sandbox related users and hostnames such as “TEQUILABOOMBOOM,” “Wilbert,” “admin,” “KLONE_X64-PC, “BEA-CHI,” etc., and if it discovers any of them it avoids running.
It also looks for two clusters of sandbox-related files on the system:
- Files under the folder “C:\a”
- Files under “C:\123” and “C:\”
“If Emotet finds all three files of the first cluster or all four files from the second cluster, it will stop its execution to avoid being analyzed within the corresponding sandbox,” the Minerva Labs Research Team found.
Spurred by this discovery, the team wanted to try out whether creating files with those names can “immunize” endpoints against an Emotet infection.
And, apparently, it can. Creating the first three, the second four, or all seven of the files mentioned above is enough to assure that these latest Emotet variants will steer clear of your system.