Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
Camp BGen Rafael T Crame, Quezon City
ACG-CYBER SECURITY BULLETIN NR 148: UNDERSTANDING THE RISK OF EMOTET MALWARE
Reference Number: ACG-CSB 112018148
The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security
Emotet is an advanced banking trojan malware program which obtains financial information by injecting computer code into the networking stack of an infected computer, allowing sensitive data to be stolen via transmission. This malware also inserts itself into software modules which are then able to steal address book data and perform denial of service attacks on other systems.
Emotet has evolved in its delivery, however the most prominent form has been inserting malicious documents or Uniform Resource Locator (URL) links inside the body of an email and sometimes disguise as an invoice or PDF attachment.
Once Emotet has infected a host, a malicious file that is part of the malware will be able to intercept, log, and save outgoing network traffic via a web browser leading to sensitive data to be compiled which provides access the victim's bank account(s)
Another component of the file downloaded by Emotet on infected systems is a Dynamic-Link Library (DLL) file that is responsible for intercepting and stealing outgoing network traffic. The component injects itself into all processes, including Web browsers in order to compare accessed websites against the list of organizations contained in the configuration file. When a match is found, the entire content of the website, including the data entered by the victim on it, is intercepted and saved.
The stolen data are encrypted and placed in a registry entry, while component files are placed in separate registry entries.
It is recommended to create a scheduled scan of the management console of workstations. This ensures the tracking of scan history. The objective is to not only detect and remove, but also get zero results on scans and to ensure the Emotet malware is not propagating back into the endpoints.
All PNP personnel as well as the public are advised to follow the tips in order to avoid the risk of Emotet Malware, to wit:
- Use antivirus programs, with automatic updates of signatures and software, on clients and servers;
- Implement filters at the email gateway to filter out emails with known malspam indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall;
- Mark external emails with a banner denoting it is from an external source. This will assist users in detecting spoofed emails;
- Consider blocking file attachments that are commonly associated with malware, such as .dll and .exe, and attachments that are not scanned by antivirus software, such as .zip files; and
- Apply appropriate patches and updates immediately.
For additional information, please refer to the following websites:
POINT OF CONTACT