NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Videos
    • Glossary
    • Infographics
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

How to Protect against EMOTET - “The World’s Most Dangerous Malware”

August 4, 2021

  • Blog
  • Archive
  1. Home
  2. Blog
  3. How to Protect against EMOTET - “The World’s Most Dangerous Malware”

In the summer of 2020, malware infections were on a clear rise. Many new variants were appearing, and enterprises, government agencies, business leaders, and public officials were all voicing concern. Yet, seven years after it was first discovered, the spread of the EMOTET malware was arguably most concerning of all.

Fast-forward to January 2021 - thanks to a collective effort across the globe, EMOTET is FINALLY beginning to lose the battle. Investigators coordinated by Europol and Eurojust are effectively collaborating to interrupt the EMOTET botnet, and making significant headway. With that said, the threat potential of the malware remains worth paying attention to. Read on to learn how to protect your organization against EMOTET and similar threats.

What is EMOTET?

EMOTET, often called “the world’s most dangerous malware” is a type of Trojan. It manifests either as a standalone malware, or as a delivery mechanism leveraged to get additional payloads onto the target machine. First discovered in 2014 by TrendMicro, EMOTET was initially spotted attempting to navigate through systems and steal private information.

Since then, EMOTET has gained many modifications to bolster its arsenal. For instance, newer strains can communicate with a central server to download additional and updated malware. Today, EMOTET can easily spread through the simple use of phishing emails, which contain a malicious Office document sent with eye-catching subject lines. Once opened, a macro that runs a PowerShell script within the Office document triggers and the payload malware is downloaded to the now infected system.

Despite the joint efforts by Europol and Eurojust, we are still seeing EMOTET variants, as well as other malware copying EMOTET’s techniques. MITRE technique T1047 and T1059.001 are examples of WMI and PowerShell attacks that implement two common techniques used by EMOTET.

How can I protect my organization from EMOTET and EMOTET-like attacks?

Phishing attacks are prone to a degree of success due to the persistence of poor end-user cyber hygiene and awareness. However, a number of steps can still be taken to limit the damage that attacks like EMOTET can inflict. Let’s take a look at some effective security best practices:

  1. First – always, think before you click. Yes, this sounds simple, but following this simple advice substantively helps limit infections over the long run. Always assess whether you trust what you are about to click on before you do!
  2. Train your workforce. This can be in the form of targeted security awareness training for IT administrators, or more generic training for other users to ensure there is knowledge of the risks throughout your organization.
  3. Update, Update, Update! It seems that every day you get an application that is wanting an update–these updates are being provided for a reason. Often the reason for the update is to provide additional security to applications that you have installed, or to address a vulnerability that was discovered.
  4. Ensure the security essentials are in place – Antivirus, anti-spyware, firewalls, privileged access management (PAM), etc. If you lack these foundational security technologies, attackers do not need to use sophisticated attacks when targeting you.
  5. Constantly work to reduce your attack surfaces and threat exposure. An end user running with more privileges than absolutely necessary makes it a fairly easy exercise for malware to infiltrate a system and propagate through a network. Removing all unnecessary privileges helps reduce attack surfaces and also restricts the ability for lateral movement inside the network.

How BeyondTrust Privilege Management for Windows protects against phishing attacks and malware

BeyondTrust’s Privilege Management for Windows product provides manifold protections against malware, phishing exploits, and other attacks. One special product capability, called Trusted Application Protection (TAP), prevents commonly used attack chain tools from being spawned by trusted applications.

TAP Policies utilize properties of the processes on the endpoint to determine:

  • What the processes are
  • Their relationships with other processes

When a user opens a malicious document with a payload, the TAP Policies will block the launch of the payload, protecting the user and their endpoint.

Figure 1: How regular attacks trigger payloads

However, EMOTET can be a bit trickier than what is shown in the above figure. The EMOTET payload, a PowerShell script, is not triggered as a direct child of the trusted application. Instead, the payload is launched via a WMI call, thus, PowerShell.exe is not seen as a child of the trusted process.

This evasive method is increasingly being used within attacks as it is more difficult to track where the process originated.

Figure 2: How EMOTET triggers its payload using out-of-hierarchy process launches.

In v21.3 of Privilege Management for Windows, we added our patented functionality to help protect against these more sophisticated attack techniques, such as used by EMOTET. With our ability to track processes being created, including out-of-hierarchy child processes, we can block these attacks when they occur (Figure 3).

Figure 3: How Privilege Management for Windows intercepts the attempt to launch PowerShell.

Learn more about Trusted Application Protection & Endpoint Privilege Management.

In this video, James Maude, BeyondTrust’s Lead Cyber Researcher, demonstrates how the TAP and Advanced Parent Tracking capabilities of Privilege Management for Windows prevent an attack that uses out-of-hierarchy process launches.

Video: BeyondTrust’s Advanced Parent Tracking feature protecting against out-of-hierarchy process launches.

If you have questions or would like to explore the solution further, contact us today.


Videos

Demo: Trusted Application Protection in Privilege Management for Windows & Mac

Datasheets

Quick Start Privilege Management for Windows & Mac

Whitepapers

The 5 Critical Steps in your Endpoint Protection Strategy

Photograph of ​Caleb Kershaw

​Caleb Kershaw, Senior QA Engineer

Caleb Kershaw is a Senior QA Engineer on the Privilege Management for Windows team at BeyondTrust. Since Graduating from Staffordshire University (UK), having earned a Bachelor of Science degree in Forensic Computing, Caleb joined Avecto (now part of BeyondTrust) as a member of their Customer Technical Support Team in 2014, Caleb moved over to the Quality Assurance department in 2017 and has been working with the Privilege Management for Windows product for 6+ years.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Up next

From July 29, 2021:
The Seven Perils of Privilege: How Exactly Can You Avoid Them?
From August 6, 2021:
KuppingerCole Executive Review of Endpoint Privilege Management & the BeyondTrust Solution

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Infographics
  • Podcast
  • Videos
  • Webinars
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.