Detection of "Emotet" malware that resumed activity in March 2023

Security business menu

Security business
HOME

To be elected
cause

Service

Handling Manufacturer

Examples/reports/
Blog/Glossary

Seminar/
video on demand

Event/Seminar

video on demand

Regarding the detection of "Emotet" malware that resumed its activities in March 2023

Change log

March 14, 2023 First edition issued
March 16, 2023 Added IPA link at the beginning, Added Trellix (former FireEye) HX verification results to Part 1, Part 2 described support for OneNote Emotet, Part 3 Countermeasures other than security products Added about example
March 17, 2023 Part 1: Trellix (formerly McAfee) ENS Threat Prevention (AV) and ENS Adaptive Threat Prevention (NGAV), added that verification date and latest status are being confirmed
March 20, 2023 Modified Trellix (former McAfee) results in Part 1/Verification results in Part 2, Modified Netskope Part 1/Part 2 descriptions, Trellix (former FireEye) in Part 2 NX results are described, and our verification date is added for undetectable products
March 23, 2023 Broadcom Verification Results Listed in Part 1/Part 2
April 14, 2023 Changed the link URL of IPA, corrected and added the verification result of Part 1/Part 2 of Skyhigh Security

Introduction

On March 7, 2023, Emotet resumed its activities for the first time in about four months.

Emotet repeats activity and inactivity for a certain period of time, and it is not uncommon for it to change its behavior and attack methods when it resumes activity. This time, the file size of the Office file*1, which is the starting point of Emotet infection, and the Emotet body*2, which is brought in from outside after macro execution, is intentionally over 500MB.

*1: The file is Zip-compressed on the e-mail and attached to the e-mail with a size of less than 1MB, but when it is decompressed, an Office file of more than 500MB appears. Since Zip is not password-compressed, it also bypasses the recently popular policy of refusing to accept password-protected Zips.
*2: The Emotet main body file is similarly downloaded from an external site with Zip to a size of less than 1MB to the terminal, and when it is decompressed, the Emotet main body of over 500MB appears.

Security products cannot scan large files well, so it is thought that this is a device to avoid detection on the endpoint when scanning emails or downloading files.

Also, on March 16, 2023, the files that became the starting point for Emotet infection changed from conventional Office files such as Word and Excel to OneNote (extension .one). Spreading via OneNote is a popular exploit for attackers these days.

In response to such a situation, we confirmed the detection status of our products again, so we will share the results in parts 1 and 2. In addition, Part 3 organizes measures that do not rely on the detection power of security products, so please read it.

Part 1. Confirmation of detection status for files over 500MB in our products
part 2. Confirmation of detection status of OneNote type in our products
Part 3. About measures other than security products

Please check JPCERT/CC and IPA for information on Emotet's attack methods and the latest trends.
https://www.jpcert.or.jp/at/2022/at220006.html
https://www.ipa.go.jp/security/security-alert/2022/1202.html

Part 1. Confirmation of detection status for files over 500MB in our products

The following is based on Emotet that we have obtained and cases confirmed in customer environments, and is described in light of each step (1 to 6) of the above-mentioned Emotet attack flow. Please note that results may change as new attack techniques emerge.

① An email with an attached file is delivered
(2) The user opens an Office document such as a Word file attached to an email
(3) User allows macros to be enabled
④ Emotet itself is downloaded via macro
⑤ Emotet itself is executed via Regsvr32
⑥ Get infected with Emotet malware

Manufacturer (alphabetical order)	product name	inspection result
Broadcom	Web Security Service	④Can be detected and blocked when Emotet is downloaded
CrowdStrike	Falcon	⑤ Regsvr32 started via macro detects and blocks malicious file loading behavior
CrowdStrike	Sandbox	The doc file has an error and cannot be analyzed Emotet itself can be analyzed and detected * Our verification results as of March 13
Island	Island Enterprise Browser	(2) If the sent attachment is viewed via a browser, it will be detected and can be viewed safely.
Menlo Security	Mail Isolation	(2) Secure viewing and detection of attachment file content is possible
Netskope	Threat Protection	④Can be detected and blocked when Emotet is downloaded
Proofpoint	Email Protection	(1) Can be detected and blocked based on the size of the file attached to the email after decompression (default setting is 50MB)
TeamT5	ThreatSonar	(6) Infected terminals can be detected by running a scanner
Trellix (formerly FireEye)	EX/ETP	(1) Can be detected and blocked when analyzing files attached to emails
	AX/VX/FX	(1) Detectable when analyzing files attached to emails
	NX	④Can be detected and blocked when Emotet is downloaded
	HX	(3) Suspicious behavior after macro execution can be detected and blocked ④Can be detected and blocked when Emotet is downloaded
Trellix (formerly McAfee)	ENS Threat Prevention (AV)	~~Undetectable~~ * Our verification results as of March 10 (2) It is possible to detect and block when a user opens an attached file * Our verification results as of March 17
	ENS Adaptive Threat Protection (NGAV)	~~Undetectable~~ ~~However, if the security level is set to high, it can be detected and blocked in ⑤.~~ * Our verification results as of March 10 ⑤Can detect and block the execution of malicious files via Regsvr32 * Our verification results as of March 17
	Trellix EDR	(5) Regsvr32 launched via macros can detect actions that load malicious files * Our verification results as of March 10

Verification of assumed scenarios

Previously, there was a method of delivering a malicious Office file that triggers Emotet infection via the URL described in the email instead of the attached file. Since the activity resumed on March 7, it has not been observed at the time of writing this article, but just in case, we also confirmed the detection status of this scenario.

(1) Downloading a Zip-compressed malicious Office file from a website
(2) Downloading illegal Office files of over 500MB that are not Zip-compressed from websites

Manufacturer (alphabetical order)	product name	inspection result
Broadcom	Web Security Service	Both ① and ② can be detected and blocked *Only when using the Web Isolation function
Cato Networks	Next Generation Anti-Malware	(1) Detectable (2) Impossible to detect * Our verification results as of March 10
Menlo Security	Web Isolation	Both ① and ② can be detected
Netskope	Threat Protection	Both ① and ② cannot be detected. * Our verification results as of March 10 *However, it is detected by ④ above.
Skyhigh Security	Secure Web Gateway（Cloud）（GAM・ATD）	~~Both ① and ② cannot be detected.~~ * Our verification results as of March 10 Both ① and ② can be detected and blocked * Our verification results as of April 11
Skyhigh Security	Secure Web Gateway（On prem）	Both ① and ② can be detected and blocked * Our verification results as of April 7

We also conducted verifications assuming that files received by e-mail, etc. were uploaded to the company's shared storage.

(1) Uploading Zip-compressed malicious Office files
(2) Uploading illegal Office files over 500MB that are not Zip-compressed

manufacturer	product name	inspection result
Box	Box Shield	(1) Impossible to detect * Our verification results as of March 10 ② Detectable

part 2. Confirmation of detection status of OneNote type in our products

The following is based on the OneNote-type Emotet case obtained by our company, and is described in light of each step (1 to 6) of the attack flow. Please note that results may change as new attack techniques emerge.

① An email with OneNote attached is delivered
(2) The user opens OneNote and follows the displayed “Double-click on a specific part” instruction.
(3) The user presses OK on the warning display before executing the script
④Emotet itself is downloaded via script
⑤ Emotet itself is executed via Regsvr32
⑥ Get infected with Emotet malware

Manufacturer (alphabetical order)	product name	inspection result
Broadcom	Web Security Service	④Can be detected and blocked when Emotet is downloaded
CrowdStrike	Falcon	(4) Detect and block the action of wscript.exe starting from onenote.exe as suspicious behavior
CrowdStrike	Sandbox	Undetectable .one files are not supported Our verification results as of March 16
Island	Island Enterprise Browser	(2) If the sent attachment is downloaded via a browser, it will be detected and blocked.
Menlo Security	Mail Isolation	(2) Secure viewing and detection of attachment file content is possible
Netskope	Threat Protection	④Can be detected and blocked when Emotet is downloaded
Proofpoint	Email Protection	(1) Capable of detecting and blocking files attached to emails * It is also possible to set the reception rejection setting by specifying the .one extension.
TeamT5	ThreatSonar	(6) Infected terminals can be detected by running a scanner
Trellix (formerly FireEye)	EX/ETP	(1) Capable of detecting and blocking files attached to emails * ETP can also be set to reject reception by specifying the extension (.one) of the attached file.
	AX/VX/FX	(1) Detectable when analyzing files attached to emails
	NX	④Can be detected and blocked when Emotet is downloaded
	HX	(4) Ability to detect and block suspicious behavior after allowing script execution warnings
Trellix (formerly McAfee)	ENS Threat Prevention (AV)	(4) Ability to detect and block suspicious behavior after allowing script execution warnings * Our verification results as of March 17
	ENS Adaptive Threat Protection (NGAV)	(4) Ability to detect and block suspicious behavior after allowing script execution warnings * Our verification results as of March 17
	Trellix EDR	(4) Ability to detect suspicious behavior after allowing script execution warnings * Our verification results as of March 17

Verification of assumed scenarios

At the time of writing this article, we have not observed the method of delivering OneNote files via URLs in emails, but we also confirmed the detection status of this scenario just in case.

(1) Download a Zip-compressed OneNote file from the website
(2) Download a OneNote file that is not Zip-compressed from the website

Manufacturer (alphabetical order)	product name	inspection result
Broadcom	Web Security Service	Both ① and ② can be detected and blocked
Cato Networks	Next Generation Anti-Malware	Both ① and ② cannot be detected. * Our verification results as of March 16
Menlo Security	Web Isolation	Both (1) and (2) are capable of detection and safe viewing of file contents.
Netskope	Threat Protection	Both ① and ② cannot be detected. * Our verification results as of March 18 *However, it is detected by ④ above.
Skyhigh Security	Secure Web Gateway（Cloud）（GAM・ATD）	Both ① and ② can be detected and blocked * Our verification results as of April 11
Skyhigh Security	Secure Web Gateway（On prem）	Both ① and ② can be detected and blocked * Our verification results as of April 7

We also conducted verifications assuming that files received by e-mail, etc. were uploaded to the company's shared storage.

①Upload Zip-compressed OneNote files
(2) Uploading OneNote files that are not Zip-compressed

manufacturer	product name	inspection result
Box	Box Shield	(1) Impossible to detect * Our verification results as of March 16 ② Detectable

About the results of Part 1 and 2

At the time of this verification, it was difficult to detect in some products. Based on this result, we are working with each manufacturer.

Please note that the results may change as new attack techniques emerge. In addition, the above results describe the results of verification conducted by our company, and do not guarantee permanent detection.

Part 3. About measures other than security products

Emotet continues to spread by changing its methods irregularly, evading detection by security products, and exploiting gaps in human psychology. As with some products this time, there are cases where the security product side cannot detect it immediately after changing the method, but in many cases, countermeasures will be taken by the manufacturer by improving the function. As a reference for countermeasures until the period when it is addressed, we have organized examples of countermeasures that do not rely on the detection power of security products, which are considered effective against past Emotet methods.

overview	detail	important point
Restrictions on receiving password-protected Zips on the mail server side	Although it has not been observed since the resumption of activities on March 7, 2023, Emotet often used methods to avoid detection by email security products by sending unauthorized files in password-protected Zips. Recently, it is becoming popular in many companies, but it can be expected to have a certain effect by restricting the reception of password-protected Zips.	Besides password-protected Zip, there are other illegal file delivery patterns, such as: ・Attach malicious Office files directly to emails instead of password-protected Zips ・Attach an unauthorized Office file or unauthorized shortcut link in a Zip file that does not have a password. ・The URL is written in the body of the email instead of being an attachment, and the malicious file is downloaded from there.
Other incoming mail limits	Password-protected Zip restrictions have been introduced by many companies and are becoming a major method, but it is also effective to restrict email reception according to the method used by Emotet with a similar idea. Whether or not it can be set depends on the specifications of the email product and email gateway product, but for Proofpoint products, for example, specify a specific extension (. You can also refuse to receive files from ZIP files, or restrict reception by specifying extensions (.lnk, .one, etc.) included in Zip.	As is the case with other countermeasures, it is necessary to make judgments regarding the application of such measures in light of the business impact. It is also important to tune accordingly as the Emotet method changes.
Launch restrictions for OneNote with embedded scripts	If you rarely receive OneNote emails in your company's business, it is effective to uniformly restrict the reception by specifying the extension of OneNote in the email gateway as described above. If it is difficult to refuse to receive emails, you can set the GPO settings to specify the extension of the OneNote display itself that includes the script like this time, or the script executed from within OneNote (.js, .exe, .com, .cmd, .scr, .ps1, .vbs, .lnk, etc.). https://www.bleepingcomputer.com/news/security/how-to-prevent-microsoft-onenote-files-from-infecting-windows-with-malware/	As is the case with other countermeasures, it is necessary to make judgments regarding the application of such measures in light of the business impact. In addition, it is also important to tune the extensions specified according to changes in the techniques of Emotet and other distributing malware.
Restrict Macro Activation for Files Obtained from Untrusted Locations	It is possible to strongly restrict the execution of macros for Office files obtained from e-mail or the Internet. It can be introduced by upgrading Office apps to a specific version or above, or by changing security settings. Please refer to the following URL for details. https://learn.microsoft.com/ja-jp/deployoffice/security/internet-macros-blocked Although it is possible to execute macros by a specific method, it can be expected to have a great effect in situations where the virus infects the virus by reflexively or unintentionally clicking the macro enable button displayed immediately after opening an Office file. In addition, although it is necessary to make a careful decision due to the magnitude of the impact on business, it is possible to set to disable macros in Office files all at once, regardless of whether they were obtained from the Internet or not. https://wizsafe.iij.ad.jp/2020/09/1044/	It is valid for Emotet of Office file type, but it is invalid for shortcut link type and OneNote type. Also, when you open an Office file, which is the source of Emotet infection, you may be instructed to move to a specific folder on your PC and open it again. According to it, when you open the Office file, the macro will be automatically executed. https://www.jpcert.or.jp/at/2022/at220006_fig3-1.png The image will open. Whether or not a file is obtained from e-mail or the Internet is determined by the identifier given to the file called MoTW. MoTW information may not be carried over depending on the decompression software and version used. * Although it has not been confirmed as an Emotet method, MoTW will not be inherited if it is compressed with iso, vhd, etc. It also avoids exploitation of specific vulnerabilities (CVE-2023-21715, CVE-2023-24880, etc.).
Shortcut links received by email, reminders to OneNote, in-house education	Emotet sends files that act as the starting point for infection as Office files such as Word and Excel, or include shortcut links and malicious scripts in OneNote. Since it is unlikely that only shortcut links will be exchanged by e-mail in normal business, it is effective to alert the company that the shortcut file received by e-mail is almost certainly an illegal file. You can expect it. Similarly, for OneNote, if you rarely receive e-mails for your own business, please consider issuing a warning that the .one file attached to e-mails is highly likely to be a malicious file.	Depending on the PC settings, the extension of the shortcut file may not be displayed, or the icon of the shortcut file may be camouflaged, making it look like a document file at first glance. It is certain to check the file type from the property information, etc.
Destination restrictions	As you can see from the infection flow at the beginning of this article, the Office files and shortcut links sent by email are nothing more than starting points for Emotet infection, and the actual Emotet malware itself is downloaded from the outside each time it is infected. The download and C2 communication destinations change periodically, but they do not change randomly every time, and there is a certain degree of commonality. Since this communication destination information is accumulated in URLHaus, FeodoTracker, etc. through volunteers, it is also an effective countermeasure to block communication to the destinations registered on these sites. Download URL https://urlhaus.abuse.ch/ https://urlhaus.abuse.ch/browse/tag/emotet/ Destination IP address for C2 https://feodotracker.abuse.ch/ https://feodotracker.abuse.ch/browse/emotet/ *Information on the main spread-type malware in general can be viewed in the upper row, and information limited to Emotet can be viewed in the lower row.	The site on the left does not necessarily collect 100% exhaustive information. In the case of communication that does not go through the company's NW GW, such as telework, the communication will succeed.