Security business menu
Security business
HOME
To be elected
cause
Service
Handling Manufacturer
Examples/reports/
Blog/Glossary
Seminar/
video on demand
Event/Seminar
video on demand

We would like to inform you about the response status of our security products against the malware "Emotet", which has been reported in the media and has been confirmed to have caused damage in Japan. JPCERT/CC has already summarized the attack activities of this malware and points to be aware of, so the link is provided.
We will update this page whenever we have additional information.

What is Emotet?

Emotet is a type of malicious malware that has been observed frequently since before 2019, but since the end of November this year, there have been many reports of infections in Japan and calls for attention to companies that are "spoofed".

For details, please refer to the following URL of JPCERT/CC.

"Infection activity of malware Emotet"

Emotet attack flow

Attacks up to malware “Emotet” infection are performed in the following flow.

  • E-mail with attached file is delivered
  • Open Office documents such as Word files attached to emails
  • Allow Macro Enabled
  • WMI* is executed via macro, and then PowerShell is launched
    *WMI = Windows OS regular management tool called Windows Management Infrastructure
  • Download and run Emotet malware
  • Infected with Emotet malware

*At the timing of (1), there are cases where an email with a URL link is delivered instead of an attached file. In this case, clicking on the URL in the email text will download an Office document such as a Word file.

Emotet is said to behave as follows after being infected.

  • Steal email data and phone book from the infected terminal
  • Spread itself by exploiting file sharing (SMB) vulnerabilities
  • Downloading and infecting different malware (banking malware and ransomware have been confirmed in the past)

For detailed information such as observed email samples, please refer to the following URL.

"Awareness regarding malware Emotet infection"

"FAQ for Malware Emotet"

Response status of our products and services

The following is based on Emotet that we obtained and cases confirmed in the customer's environment, and is described in light of each step (1 to 6) of the above-mentioned Emotet attack flow.

Please note that results may change as new attack techniques emerge.

Support status of our products

Manufacturer product name Correspondence situation
CrowdStrike Holdings、Inc. CrowdStrike Falcon
  • Detects and blocks malicious Word files launching PowerShell via WMI (Prevention Policy > Suspicious Behavior: Enable)
  • Even if a file is downloaded, it is analyzed by NGAV when the file is executed, and if it is determined to be malicious, it can be blocked (Prevention Policy > Next-Gen Antivirus: Moderate)
FireEye FireEye EX, ETP
  • Detect delivery of Word files with macros via email
FireEye HX
  • It is possible to detect and block when macros are enabled and unauthorized Powershell movements
FireEye NX
  • Detect and block Emotet downloads
McAfee VirusScan Enterprise
Endpoint Security
MVISION Endpoint
  • Word files can be blocked if they can be determined to be malicious by their signatures
  • If the downloaded file can be determined to be malicious by the signature, it can be blocked
Menlo Security Menlo Security Secure Office 365/Secure G Suite (Email isolation)
  • Accessing URL links contained in emails and opening attachments are performed on a separate cloud, allowing users to browse safely in a harmless state.
    In addition, it is also possible to prohibit downloads of files acquired via attached files or URL links, allowing only viewing, or prohibiting downloads only when the security function on the cloud side determines that they are malicious.
Broadcom Products (formerly Symantec Enterprise Security) Symantec Endpoint Protection14
  • Files with downloaders can be detected and quarantined when malicious files are saved on the device
  • Even if you bypass ②, it is possible to detect and block the behavior of PowerShell acquiring files from the outside.
Symantec Email Security.cloud
  • Detect and block Word files delivered by email
TeamT5 Team T5 ThreatSonar
(Used by Mpression Cyber Security Service™ Threat Hunting & Incident Response Service)
  • Emotet malware infection can be detected by terminal memory Yara rule

Support status of services provided by our company

service Correspondence situation
Mpression Cyber Security Service™
Threat Hunting & Incident Response Service
  • Emotet malware infection can be detected by examining the memory and files of the terminal to identify the extent of the infringement and report on appropriate countermeasures.