Mitigating Emotet

Following are a few recommendations how you can prevent Heodo (aka Emotet) infecting your network. These tips are aimed at SOCs/CERTs/CSIRTs and not individuals. Please consider that there is an exhaustive list of recommendations I could give you here. However, I decided to be as minimal as possible and only document those which have the largest impact.

How Emotet spreads itself

Emotet spreads itself using spam emails. These are usually sent from compromised mailboxes and contain either a malicious attachment or a hyperlink to a compromised website. The attachment or compromised website usually contains/serves a office document with malicious macros or a java script which, once opened/executed, installs Emotet on the victim's machine.

How to block Emotet spam emails

There are different ways to prevent that Emotet bypasses your spam filter and manage its way to your users mailbox. As Emotet switches between malicious attachments and links in the email body, there are two technical measures to take to prevent that Emotet spam emails get delivered to your users inbox.

Block botnet communication to known Emotet C&Cs

Even if everything fails and users in your network get infected with Emotet, you can prevent that infected machins talk to the attackers by blocking IP addresses that are active Emotet botnet C&C servers.

How you know that your users are infected with Emotet

If you want to know whether your users/customers got infected with Emotet, you can check your security perimeter for known Emotet IOCs (Indicator of Compromise).

Last updated: 15th April, 2019