Regarding the detection of "Emotet" malware that resumed its activities in March 2023
Change log
March 14, 2023 First edition issued
March 16, 2023 Added IPA link at the beginning, Added Trellix (former FireEye) HX verification results to Part 1, Part 2 described support for OneNote Emotet, Part 3 Countermeasures other than security products Added about example
March 17, 2023 Part 1: Trellix (formerly McAfee) ENS Threat Prevention (AV) and ENS Adaptive Threat Prevention (NGAV), added that verification date and latest status are being confirmed
March 20, 2023 Modified Trellix (former McAfee) results in Part 1/Verification results in Part 2, Modified Netskope Part 1/Part 2 descriptions, Trellix (former FireEye) in Part 2 NX results are described, and our verification date is added for undetectable products
March 23, 2023 Broadcom Verification Results Listed in Part 1/Part 2
April 14, 2023 Changed the link URL of IPA, corrected and added the verification result of Part 1/Part 2 of Skyhigh Security
Introduction
On March 7, 2023, Emotet resumed its activities for the first time in about four months.
Emotet repeats activity and inactivity for a certain period of time, and it is not uncommon for it to change its behavior and attack methods when it resumes activity. This time, the file size of the Office file*1, which is the starting point of Emotet infection, and the Emotet body*2, which is brought in from outside after macro execution, is intentionally over 500MB.
*1: The file is Zip-compressed on the e-mail and attached to the e-mail with a size of less than 1MB, but when it is decompressed, an Office file of more than 500MB appears. Since Zip is not password-compressed, it also bypasses the recently popular policy of refusing to accept password-protected Zips.
*2: The Emotet main body file is similarly downloaded from an external site with Zip to a size of less than 1MB to the terminal, and when it is decompressed, the Emotet main body of over 500MB appears.
Security products cannot scan large files well, so it is thought that this is a device to avoid detection on the endpoint when scanning emails or downloading files.
Also, on March 16, 2023, the files that became the starting point for Emotet infection changed from conventional Office files such as Word and Excel to OneNote (extension .one). Spreading via OneNote is a popular exploit for attackers these days.
In response to such a situation, we confirmed the detection status of our products again, so we will share the results in parts 1 and 2. In addition, Part 3 organizes measures that do not rely on the detection power of security products, so please read it.
Part 1. Confirmation of detection status for files over 500MB in our products
part 2. Confirmation of detection status of OneNote type in our products
Part 3. About measures other than security products
Please check JPCERT/CC and IPA for information on Emotet's attack methods and the latest trends.
https://www.jpcert.or.jp/at/2022/at220006.html
https://www.ipa.go.jp/security/security-alert/2022/1202.html
Part 1. Confirmation of detection status for files over 500MB in our products
The following is based on Emotet that we have obtained and cases confirmed in customer environments, and is described in light of each step (1 to 6) of the above-mentioned Emotet attack flow. Please note that results may change as new attack techniques emerge.
① An email with an attached file is delivered
(2) The user opens an Office document such as a Word file attached to an email
(3) User allows macros to be enabled
④ Emotet itself is downloaded via macro
⑤ Emotet itself is executed via Regsvr32
⑥ Get infected with Emotet malware
Manufacturer (alphabetical order) | product name | inspection result |
Broadcom | Web Security Service | ④Can be detected and blocked when Emotet is downloaded |
CrowdStrike | Falcon | ⑤ Regsvr32 started via macro detects and blocks malicious file loading behavior |
Sandbox | The doc file has an error and cannot be analyzed Emotet itself can be analyzed and detected * Our verification results as of March 13 |
|
Island | Island Enterprise Browser | (2) If the sent attachment is viewed via a browser, it will be detected and can be viewed safely. |
Menlo Security | Mail Isolation | (2) Secure viewing and detection of attachment file content is possible |
Netskope | Threat Protection | ④Can be detected and blocked when Emotet is downloaded |
Proofpoint | Email Protection | (1) Can be detected and blocked based on the size of the file attached to the email after decompression (default setting is 50MB) |
TeamT5 | ThreatSonar | (6) Infected terminals can be detected by running a scanner |
Trellix (formerly FireEye) | EX/ETP | (1) Can be detected and blocked when analyzing files attached to emails |
AX/VX/FX | (1) Detectable when analyzing files attached to emails | |
NX | ④Can be detected and blocked when Emotet is downloaded | |
HX |
(3) Suspicious behavior after macro execution can be detected and blocked |
|
Trellix (formerly McAfee) | ENS Threat Prevention (AV) |
|
ENS Adaptive Threat Protection (NGAV) |
|
|
Trellix EDR | (5) Regsvr32 launched via macros can detect actions that load malicious files * Our verification results as of March 10 |
Verification of assumed scenarios
Previously, there was a method of delivering a malicious Office file that triggers Emotet infection via the URL described in the email instead of the attached file. Since the activity resumed on March 7, it has not been observed at the time of writing this article, but just in case, we also confirmed the detection status of this scenario.
(1) Downloading a Zip-compressed malicious Office file from a website
(2) Downloading illegal Office files of over 500MB that are not Zip-compressed from websites
Manufacturer (alphabetical order) | product name | inspection result |
Broadcom | Web Security Service |
Both ① and ② can be detected and blocked |
Cato Networks | Next Generation Anti-Malware | (1) Detectable (2) Impossible to detect * Our verification results as of March 10 |
Menlo Security | Web Isolation | Both ① and ② can be detected |
Netskope | Threat Protection | Both ① and ② cannot be detected. * Our verification results as of March 10 *However, it is detected by ④ above. |
Skyhigh Security | Secure Web Gateway(Cloud)(GAM・ATD) |
|
Secure Web Gateway(On prem) |
Both ① and ② can be detected and blocked |
We also conducted verifications assuming that files received by e-mail, etc. were uploaded to the company's shared storage.
(1) Uploading Zip-compressed malicious Office files
(2) Uploading illegal Office files over 500MB that are not Zip-compressed
manufacturer | product name | inspection result |
Box | Box Shield | (1) Impossible to detect * Our verification results as of March 10 ② Detectable |
part 2. Confirmation of detection status of OneNote type in our products
The following is based on the OneNote-type Emotet case obtained by our company, and is described in light of each step (1 to 6) of the attack flow. Please note that results may change as new attack techniques emerge.
① An email with OneNote attached is delivered
(2) The user opens OneNote and follows the displayed “Double-click on a specific part” instruction.
(3) The user presses OK on the warning display before executing the script
④Emotet itself is downloaded via script
⑤ Emotet itself is executed via Regsvr32
⑥ Get infected with Emotet malware
Manufacturer (alphabetical order) | product name | inspection result |
Broadcom | Web Security Service | ④Can be detected and blocked when Emotet is downloaded |
CrowdStrike |
Falcon | (4) Detect and block the action of wscript.exe starting from onenote.exe as suspicious behavior |
Sandbox | Undetectable *.one files are not supported * Our verification results as of March 16 |
|
Island | Island Enterprise Browser | (2) If the sent attachment is downloaded via a browser, it will be detected and blocked. |
Menlo Security | Mail Isolation | (2) Secure viewing and detection of attachment file content is possible |
Netskope | Threat Protection | ④Can be detected and blocked when Emotet is downloaded |
Proofpoint | Email Protection | (1) Capable of detecting and blocking files attached to emails * It is also possible to set the reception rejection setting by specifying the .one extension. |
TeamT5 | ThreatSonar | (6) Infected terminals can be detected by running a scanner |
Trellix (formerly FireEye) | EX/ETP |
(1) Capable of detecting and blocking files attached to emails |
AX/VX/FX |
(1) Detectable when analyzing files attached to emails |
|
NX |
④Can be detected and blocked when Emotet is downloaded |
|
HX |
(4) Ability to detect and block suspicious behavior after allowing script execution warnings |
|
Trellix (formerly McAfee) |
ENS Threat Prevention (AV) |
(4) Ability to detect and block suspicious behavior after allowing script execution warnings |
ENS Adaptive Threat Protection (NGAV) |
(4) Ability to detect and block suspicious behavior after allowing script execution warnings |
|
Trellix EDR |
(4) Ability to detect suspicious behavior after allowing script execution warnings |
Verification of assumed scenarios
At the time of writing this article, we have not observed the method of delivering OneNote files via URLs in emails, but we also confirmed the detection status of this scenario just in case.
(1) Download a Zip-compressed OneNote file from the website
(2) Download a OneNote file that is not Zip-compressed from the website
Manufacturer (alphabetical order) | product name | inspection result |
Broadcom | Web Security Service | Both ① and ② can be detected and blocked |
Cato Networks | Next Generation Anti-Malware | Both ① and ② cannot be detected. * Our verification results as of March 16 |
Menlo Security | Web Isolation | Both (1) and (2) are capable of detection and safe viewing of file contents. |
Netskope | Threat Protection |
Both ① and ② cannot be detected. |
Skyhigh Security | Secure Web Gateway(Cloud)(GAM・ATD) |
Both ① and ② can be detected and blocked |
Secure Web Gateway(On prem) |
Both ① and ② can be detected and blocked |
We also conducted verifications assuming that files received by e-mail, etc. were uploaded to the company's shared storage.
①Upload Zip-compressed OneNote files
(2) Uploading OneNote files that are not Zip-compressed
manufacturer | product name | inspection result |
Box | Box Shield |
(1) Impossible to detect |
About the results of Part 1 and 2
At the time of this verification, it was difficult to detect in some products. Based on this result, we are working with each manufacturer.
Please note that the results may change as new attack techniques emerge. In addition, the above results describe the results of verification conducted by our company, and do not guarantee permanent detection.
Part 3. About measures other than security products
Emotet continues to spread by changing its methods irregularly, evading detection by security products, and exploiting gaps in human psychology. As with some products this time, there are cases where the security product side cannot detect it immediately after changing the method, but in many cases, countermeasures will be taken by the manufacturer by improving the function. As a reference for countermeasures until the period when it is addressed, we have organized examples of countermeasures that do not rely on the detection power of security products, which are considered effective against past Emotet methods.
overview | detail | important point |
Restrictions on receiving password-protected Zips on the mail server side | Although it has not been observed since the resumption of activities on March 7, 2023, Emotet often used methods to avoid detection by email security products by sending unauthorized files in password-protected Zips. Recently, it is becoming popular in many companies, but it can be expected to have a certain effect by restricting the reception of password-protected Zips. |
Besides password-protected Zip, there are other illegal file delivery patterns, such as: |
Other incoming mail limits |
Password-protected Zip restrictions have been introduced by many companies and are becoming a major method, but it is also effective to restrict email reception according to the method used by Emotet with a similar idea. |
As is the case with other countermeasures, it is necessary to make judgments regarding the application of such measures in light of the business impact. It is also important to tune accordingly as the Emotet method changes. |
Launch restrictions for OneNote with embedded scripts |
If you rarely receive OneNote emails in your company's business, it is effective to uniformly restrict the reception by specifying the extension of OneNote in the email gateway as described above. |
As is the case with other countermeasures, it is necessary to make judgments regarding the application of such measures in light of the business impact. |
Restrict Macro Activation for Files Obtained from Untrusted Locations |
It is possible to strongly restrict the execution of macros for Office files obtained from e-mail or the Internet. It can be introduced by upgrading Office apps to a specific version or above, or by changing security settings. Please refer to the following URL for details. https://learn.microsoft.com/ja-jp/deployoffice/security/internet-macros-blocked Although it is possible to execute macros by a specific method, it can be expected to have a great effect in situations where the virus infects the virus by reflexively or unintentionally clicking the macro enable button displayed immediately after opening an Office file. |
It is valid for Emotet of Office file type, but it is invalid for shortcut link type and OneNote type. https://www.jpcert.or.jp/at/2022/at220006_fig3-1.png *MoTW information may not be carried over depending on the decompression software and version used. |
Shortcut links received by email, reminders to OneNote, in-house education |
Emotet sends files that act as the starting point for infection as Office files such as Word and Excel, or include shortcut links and malicious scripts in OneNote. |
Depending on the PC settings, the extension of the shortcut file may not be displayed, or the icon of the shortcut file may be camouflaged, making it look like a document file at first glance. It is certain to check the file type from the property information, etc. |
Destination restrictions |
As you can see from the infection flow at the beginning of this article, the Office files and shortcut links sent by email are nothing more than starting points for Emotet infection, and the actual Emotet malware itself is downloaded from the outside each time it is infected. Download URL Destination IP address for C2 *Information on the main spread-type malware in general can be viewed in the upper row, and information limited to Emotet can be viewed in the lower row. |
The site on the left does not necessarily collect 100% exhaustive information. |