Attacked by Trojan.Emotet
We’ve just recovered from one of the most intrusive viruses to date with minimal damage to the client’s network. It’s been two days since the incident and with the client’s network up and running as usual, I’ve found some time to write a post about it. I’ll go over what the virus is, how it affected the network, and what we did to contain and then eliminate the threat, as well as prevention measures.
It started with a firewall detection of a suspicious file being downloaded through a web page that was emailed to one of the client’s employees. From there, the virus has spread through almost all of the client’s servers and a large number of workstations.
After our research, we’ve concluded that it was the Emotet virus. Trojan.Emotet is a banking Trojan that has the ability to steal data, most commonly user credentials by sniffing network traffic. It is commonly injected into the network through emails being disguised as invoices or notifications by trusted sources such as Microsoft or the IRS. Once the virus is in the network, it spread rapidly through the EternalBlue vulnerability to exploit unpatched machines. Furthermore, Trojan.Emotet is polymorphic, therefore difficult to detect by signatures.
Credit: United States Computer Emergency Readiness Team
In our case, the virus was disguised as a .png image attached to an email and the client’s employee opened and downloaded it to his/her machine. From there, it spread to the servers, injecting an executable file called mssvca.exe in the C:\ and C:\Windows directories. Not only that, but the virus has also created new services running in the background. The IVComputer team caught this early, and tried to delete the file, but it quickly reappeared. To prevent this file from being opened or executed, we modified its security settings to deny all read/write requests while we locate all infected machines and take it off the network before it spread even more.
The following were the steps taken to remove and prevent further Emotet infections.
1. Identify infected machines.
2. Disconnect the machines from the network.
3. Delete mssvca.exe (mttvca.exe) (c:\users\default\appdata\roaming\aimy)
4. Find suspicious processes in services.msc and delete them using “sc.exe delete <process name>” in command prompt. (e.g. Technoservice1, New ServiceTech2, etc.)
5. Disable Administrative Shares (C$ and Admin$)
6. Make changes to the registry to disable SMB shares upon login by creating the following in notepad and saving as .reg. For any machines running Windows 10 or Server 2016, Windows Defender may have been disabled by the virus. Run regedit, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender and delete DisableAntiSpyware.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters] "AutoShareWks"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters] "AutoShareServer"=dword:00000000
7. Update and run antivirus.
8. Install all patch updates and/or reimage infected machines.
9. Reset passwords for all credentials.
We have also checked several other paths that might be injected with Trojan.Emotet such as in C:\Users\<username>\AppData\Local\Microsoft\Windows and Registry Keys in HKLM\Software\Microsoft\Windows\CurrentVersion\Run, HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run, and HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Then we check task scheduler as the virus may have created a task to run when a user logs into the infected machine.
To prevent any further infections, we have downloaded all updates for all Windows machines, increased Firewall security, and disabled SMB for all servers. So far, the virus has crippled one of their servers, but was quickly recovered as IVComputer ensures all of our clients have regular backups, so downtime for that server was about two hours.
IVComputer urges all of our clients to keep up-to-date with Microsoft patches, be more skeptical of unusual emails, and ensure regular backups are running and recoverable. Our contract customers all have at least four backups at all times and we do check every month that they are running and every backup is in working condition. Happy Friday and October is National Cyber Security Awareness Month so be vigilant, and be safe!