Answering Your Emotet Questions from the Webinar, Emotet: Taming a Wild Trojan
- On June 12, we hosted a deep-dive technical webinar on Emotet, featuring Robert Bigman, former CISO at the CIA, and James Wright, VP Engineering and Threat Research at Bromium
- In this blog, we answer your Emotet questions submitted during the webinar
- If you missed the webinar, you can listen to it on-demand, embedded at the end of this post
On June 12, Robert Bigman, former CISO at the CIA, and myself, James Wright, VP Engineering and Threat Research at Bromium, presented a deep-dive webinar on Emotet – a fast-spreading polymorphic Trojan that easily evades conventional detection tools and techniques. In the webinar, we covered the evolution of Emotet, explained its invasion methods and social engineering techniques, examined its disguise tricks, and assessed potential damage that Emotet can do to corporations once it takes hold.
During the webinar, we received a number of questions, pertaining to both Emotet and Bromium application isolation. Below is the summary of the Q&A session, including questions that we did not have time to answer on the call. As always, we invite you to continue the dialog. If you have any follow-up Emotet questions or would like to learn more about how Bromium can protect your organization from Emotet and other types of attacks, use the comments section at the bottom of this blog, or contact us.
Now, to your Emotet questions:
Which companies are most likely to get hit with Emotet? Does it target specific verticals?
James Wright, Bromium: Emotet is rather far-reaching, and it’s one of the few campaigns that we witness across many geographies and types of machines – from consumer to the government. Most malware types that typically target consumers don’t get very far with reaching government endpoints; and most of the sophisticated nation-state malware doesn’t show up on consumer PCs.
Emotet, on the other hand, appears everywhere, across all types of endpoints. Interestingly, the second and third stages of the attack vary depending on the type of machine – there’s evidence that suggests that Emotet tries to identify which machine it has landed on, then decides how to behave from that point on. If it appears that it has infected a consumer machine, it may choose to leave behind a piece of ransomware; if it knows it has landed on a high-value machine, it could decide to hold on to it and search for additional information.
Robert Bigman: I have been seeing Emotet infections in Europe, specifically Germany and France, and most recently here in the US. We are also seeing indicators that Emotet mostly targets large financial and insurance corporations – it goes after organizations that manage large sums of money.
Where does Emotet originate from, and which groups are deploying it?
Wright: While it’s hard to precisely determine the origin of Emotet, we suspect, because of its commercial nature, that it’s likely created by a criminal gang. There’s some limited evidence that suggests that initially it came from Eastern Europe.
Bigman: No smoking gun, but it looks to us that it’s the work of a Russian cybercriminal.
What file types are being used to spread Emotet?
Wright: We are seeing multiple variants and versions of Word documents as a primary payload. We also see PDFs, as well as zip files that come in as attachments, then cause a Word document to get downloaded.
What’s the best way to detect Emotet and how does Bromium do it?
Wright: Bromium doesn’t really focus on “detection” from the security point of view. We care about identifying the malware so we can gather intelligence, but if we don’t detect it, it stays in the virtual machine, without causing any harm to the endpoint or the network.
Our method for identifying the malware is based on behavior: the virtual machine that the malware is running in is supposed to be doing just one job, such as reading a Word document, and it becomes obvious that something is wrong when random executables begin to appear. A host machine that’s not protected by Bromium is running multiple processes at the same time, and it’s not quite so easy to detect that something suspicious may be going on.
How does Bromium compare to EDR solutions?
Wright: EDR (endpoint detection and response) is an excellent tool, and its detection methods are very behavioral. It’s like a flight recorder on an airplane – the recording happens in the background, and if something bad happens, you have lots of data available for analysis and review.
When you put EDR is pure detection mode, to some extent, the endpoint becomes sacrificial – in order to see what’s going on, you have to let the attack play out and cause actual harm to the machine. You will certainly get some intelligence from that, but then you would have to perform remediation on that endpoint, and you often have a very limited amount of time before malware begins to spread. You can also run EDR in a “blocking” mode – when you see the behavior get to a certain point, you can stop the execution, which used to work well until the bad guys figured out how to outsmart it.
The difference with the isolation technology is that we are still doing the behavior-based detection, but the whole thing is isolated inside a single-use virtual machine. The user is not aware of anything bad happening and is not interrupted in their workflow, but you can let the whole thing play out, and it won’t do any harm, because it can’t get out of the VM.
Is Bromium a cloud or on-premise management solution?
Kimberly Becan, Director of Product Marketing, Bromium: There’s a lot of flexibility on how organizations can deploy Bromium: on-premise, on a private cloud, or via our managed cloud service offering. And all the intelligence and analysis that was covered in today’s webinar is available to you regardless of which deployment option you select.
Is there a Bromium solution for consumer use?
Wright: While Bromium Secure Platform is primarily an enterprise tool, through our partnership with HP, there’s an HP-branded variant of our software called SureClick, and it’s included with various models of HP laptops.
Looking for more information on Emotet? Check out Bromium’s technical Emotet blogs.
- Subscribe: Bromium technical blogs to receive an email update when technical blogs are posted (does not include company news or other blogs)
Emotet: Taming a Wild Trojan webinar on-demand
Beyond Emotet: Bromium Threat Research
Looking for similar threat intelligence and research? Check out the Bromium Threat Insights Report. These reports highlight the top threats that Bromium Labs uncovered each month, and are available to everyone – no form required.