It can be easy to dispute or question industry reports from top security vendors because the data is often collected...
from those vendors' customers, and it is frequently used to show how the vendors' products can better protect enterprises.
However, these reports can often help enterprises improve their information security programs. Antimalware companies often use this data-driven tactic to dig into specific examples of threats so enterprises can determine if they are adequately protected from those threats.
In this tip, we'll discuss PowerShell malware, the specific example of the Emotet Trojan and enterprise defenses for these threats.
PowerShell malware and the Emotet Trojan
McAfee reported a surge in fileless attacks in 2017's Q3 in which malicious code in macros used PowerShell to execute malware. One notable piece of fileless malware was the Emotet Trojan.
Before getting into the details of the threat, it's important to note than when a vendor report states that the highest number of incidents for a specific malware type was observed, that doesn't necessarily mean that the number is all that meaningful. The amount of malware detected only matters to an antimalware company in terms of how many resources they need to analyze the malware, report on it and ensure that their customers are adequately protected.
When a report references fileless attacks, it also doesn't necessarily mean that no files were used in the attack. Fileless usually means that no files were left behind on a system for persistence, but files were used in the attack.
The fileless aspect could also mean that PowerShell, cmd or WMIC were used as part of the attack to execute code on the endpoint. This could include downloading a file or writing data to the registry to create a persistence mechanism on the endpoint.
Emotet is a type of banking Trojan that is distributed by botnets; it spams recipients to socially engineer them into opening a malicious attachment -- usually a Word document that has a malicious macro. When the macro runs, it calls a PowerShell, cmd or WMIC command to download malware onto the endpoint for persistence.
While files are used in several different parts of the attack, the fileless aspect occurs when PowerShell or cmd is used to download the next step in the attack. Unlike using a downloader to download a piece of malware to the endpoint, the fileless approach can help to avoid potential detection.
Enterprise defenses against PowerShell malware
Since responding to malware threats is absolutely critical, ensuring your enterprise is prepared is important. We've discussed fileless malware at length, but malware is constantly evolving and, thus, security tools must do the same.
Some tools have incorporated functionality to address fileless attacks, while other new endpoint security tools have emerged to address these threats and current attacks. However, attacks continue to use known vulnerabilities or insecure functionality, as well as legitimate tools and functions like PowerShell, to take over endpoints.
While the Emotet Trojan contains new functionalities, some of them can still be blocked using basic endpoint security hygiene to prevent known vulnerabilities or insecure functionalities, such as limiting admin privilege, reducing the attack surface of an endpoint by removing or restricting unnecessary applications or tools, whitelisting, and keeping a system up to date with patches.
Your next step should be to check how your existing security tool vendors address Emotet because many different endpoint security vendors have different methods and advice on how to protect your enterprise. One common method among these tools is blocking executables or changes to the system via signatures, behavioral monitoring, or a combination of both detecting and monitoring common methods for persistence, such as preventing the Run registry keys from being modified.
Some of the tools specifically block Microsoft Word from calling out to PowerShell, which can block a malicious PowerShell command from executing on the system.
Examining infected systems on your network to determine how they were infected can identify which security controls need to be updated to properly protect your endpoints.
While the world is changing faster than anyone may realize or want to admit, some of the basics have stayed the same. Ensuring that you are regularly updating your information security program to identify which security controls are properly working is necessary to manage information security risk and protect your enterprise from the Emotet Trojan.