Mitigating Emotet

Following are a few recommendations how you can prevent Heodo (aka Emotet) infecting your network. These tips are aimed at SOCs/CERTs/CSIRTs and not individuals. Please consider that there is an exhaustive list of recommendations I could give you here. However, I decided to be as minimal as possible and only document those which have the largest impact.

How Emotet spreads itself

Emotet spreads itself using spam emails. These are usually sent from compromised mailboxes and contain either a malicious attachment or a hyperlink to a compromised website. The attachment or compromised website usually contains/serves a office document with malicious macros or a java script which, once opened/executed, installs Emotet on the victim's machine.

How to block Emotet spam emails

There are different ways to prevent that Emotet bypasses your spam filter and manage its way to your users mailbox. As Emotet switches between malicious attachments and links in the email body, there are two technical measures to take to prevent that Emotet spam emails get delivered to your users inbox.

• Block office documents containing macros: You should block any incoming office document containing macros on your email gateway / spam filter. If you are using a commercial spam filter, please consult the corresponding product manual or contact your vendor to figure out how to block office documents with macros in your spam filter product. If you use an open source product such as Postfix, you can take a look at MacroMilter.
  • Pro: This is a very effective way to prevent that your users/customers are getting infected with many malware families (including Emotet)
  • Contra: This may have a negative impact on some existing business processes. You should be aware that this measure will cause some false positives. Please make sure that you are able to whitelist specific (sending) email addresses from this filter rule.
• Block emails containing known bad URLs: The infosec community is doing a very good job in spotting and reporting compromised websites distributing Emotet to URLhaus. URLhaus is a project of abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution. URLhaus feeds two major anti-spam blacklists called SURBL and Spamhaus DBL. You should filter/block any incoming email that contains a link for a domain name listed on Spamhaus DBL with the DNS return code 127.0.1.105 (abused legit malware) (see DBL FAQ). If you are using a commercial spam filter, please consult the corresponding product manual or contact your vendor to figure out how to use Spamhaus DBL for inbound mail filtering. If you use an open source product such as Postfix, you can take a look at milter-spamc.
  • Pro: SURBL and Spamhaus usually blacklist the corresponding domains within less than a minute once reported by URLhaus. Hence implementing SURBL and/or Spamhaus DBL on your spam filter is a very effective and performant measure against Emotet
  • Contra: As the websites (URLs) advertised in Emotet spam emails are compromised, there is a higher risk of false positives. As Spamhaus DBL only list domain names that were actively being used to distribute malware in the past 24 hours, the amount of false positive should be acceptable.
• URLhaus ClamAV signatures: URLhaus provides almost real-time updated ClamAV signatures to detect known malware distribution sites in emails. If you are running ClamAV, I strongly recommend you to implement the URLhaus ClamAV signatures and block emails containing blacklisted URLs
  • Pro: The URLhaus ClamAV signatures provides near time detection combined with a very low false positive rate
  • Contra: You have to download and update the ClamAV signature file every minute to ensure that you have always the latest signatures and hence the maximum level of protection

Block botnet communication to known Emotet C&Cs

Even if everything fails and users in your network get infected with Emotet, you can prevent that infected machins talk to the attackers by blocking IP addresses that are active Emotet botnet C&C servers.

• Block known Emotet botnet C&C servers at your network perimeter, e.g. on your Firewall, web-proxy or router. You can get a list of active Emotet C&C servers here: Recommended IP blocklist

How you know that your users are infected with Emotet

If you want to know whether your users/customers got infected with Emotet, you can check your security perimeter for known Emotet IOCs (Indicator of Compromise).

• Check for Emotet distribution sites: Check your security perimeter logs for machines that try to reach known Emotet malware distribution sites. You can do so by checking your firewall- and web-proxy logs for known Emotet distribution sites listed on URLhaus. There is also an RPZ (DNS firewall) and Suricata IDS/IPs ruleset available.
• Check for Emotet botnet C&C communication / beaconing: Check your security perimeter logs for Emotet infected machines that try to communicate with known Emotet botnet C&Cs. You can do so by checking your firewall- and web-proxy logs (or alternatively netflow data) for Emotet IOCs listed on Feodo Tracker. If you are using an IDS/IPS such as Snort/Suricata or a commercial product that supports Snort/Suricata rules, there is IDS/IPS ruleset available on Feodo Tracker as well that alerts you once a machine tries to connect to a known Emotet C&C

Last updated: 15th April, 2019