We would like to inform you about the response status of our security products against the malware "Emotet", which has been reported in the media and has been confirmed to have caused damage in Japan. JPCERT/CC has already summarized the attack activities of this malware and points to be aware of, so the link is provided.
We will update this page whenever we have additional information.
What is Emotet?
Emotet is a type of malicious malware that has been observed frequently since before 2019, but since the end of November this year, there have been many reports of infections in Japan and calls for attention to companies that are "spoofed".
For details, please refer to the following URL of JPCERT/CC.
Emotet attack flow
Attacks up to malware “Emotet” infection are performed in the following flow.
- E-mail with attached file is delivered
- Open Office documents such as Word files attached to emails
- Allow Macro Enabled
- WMI* is executed via macro, and then PowerShell is launched
*WMI = Windows OS regular management tool called Windows Management Infrastructure - Download and run Emotet malware
- Infected with Emotet malware
*At the timing of (1), there are cases where an email with a URL link is delivered instead of an attached file. In this case, clicking on the URL in the email text will download an Office document such as a Word file.
Emotet is said to behave as follows after being infected.
- Steal email data and phone book from the infected terminal
- Spread itself by exploiting file sharing (SMB) vulnerabilities
- Downloading and infecting different malware (banking malware and ransomware have been confirmed in the past)
For detailed information such as observed email samples, please refer to the following URL.
Response status of our products and services
The following is based on Emotet that we obtained and cases confirmed in the customer's environment, and is described in light of each step (1 to 6) of the above-mentioned Emotet attack flow.
Please note that results may change as new attack techniques emerge.
Support status of our products
Manufacturer | product name | Correspondence situation |
---|---|---|
CrowdStrike Holdings、Inc. | CrowdStrike Falcon |
|
FireEye | FireEye EX, ETP |
|
FireEye HX |
|
|
FireEye NX |
|
|
McAfee | VirusScan Enterprise Endpoint Security MVISION Endpoint |
|
Menlo Security | Menlo Security Secure Office 365/Secure G Suite (Email isolation) |
|
Broadcom Products (formerly Symantec Enterprise Security) | Symantec Endpoint Protection14 |
|
Symantec Email Security.cloud |
|
|
TeamT5 | Team T5 ThreatSonar (Used by Mpression Cyber Security Service™ Threat Hunting & Incident Response Service) |
|
Support status of services provided by our company
service | Correspondence situation |
---|---|
Mpression Cyber Security Service™ Threat Hunting & Incident Response Service |
|