Emotet malware disrupted

Topic

New Reply

https://www.europol.europa.eu/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action https://krebsonsecurity.com/
[See the full post at: Emotet malware disrupted]

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Replies

I have a question about this.  Krebs says “If the computer opened the attachment or the link, the malware got installed”.   How does that work?  I read my email and run my web browser [and do most everything else] as an non-privileged user.  Can Emotet infect you from a non-privieged account?  If so, how does that happen?

Reply | Quote

Malware can infect you via security holes in Windows / iOS / Linux. That is why patches are released, to patch those holes.

The basic rule of computer security is: if you don’t know the sender or were not expecting an attachment, don’t open it until you have checked / virus scanned.

cheers, Paul

Reply | Quote

I know that there is always the vague allegations of zero-day privilege escalation bugs lurking.   BUT — did *this*specific* attack exploit one such or are you just making a blind general statement about the probably of serious bugs in a very complicated system?  If you’re just saying “we don’t know but there must be a bug it found”, that’s not very reassuring [nor particularly helpful]

In the past, for example, almost all Windows vulnerabilites took advantage of patched security holes that the user just never installed.  If emotet was exploiting something already-patched, then it is a much less dangerous bit of malware than if the best we can say is “we haven’t a clue how it managed to get itself installed, but it did”, which is truly scary [since I’d assume that whatever that vulnerability is other malware besides emotet could be out there exploiting it]

Reply | Quote

Not knowing your level of knowledge I provided the basics. If you want the details read this CISA article.

cheers, Paul

Reply | Quote

There are a bunch of user-level things that are annoying [scraping addresses from Outlook, Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads, etc]  but the only “real” threats I saw were:

• Emotet leverages the Admin$ share for lateral movement once the local admin password has been brute forced.
• Emotet has been seen exploiting SMB via a vulnerability exploit like ETERNALBLUE (MS17-010) to achieve lateral movement and propagation.  [patched in 2017!]

Is that the extent to how it gets embedded?

[and I have to plead guilty an rethink it: I have a not hard to guess password on my local admin account even though I have very secure passwords [via pwsafe] for everything else.   I probably need to enter the admin password once or twice a day.   So if it were a secure 20 character monster [as all my pwsafe passwords are] I’d go crazy.]

I know you can do a gigantic amount of damage to a system just as the local user [e.g, encrypting/deleting all the files that the user has write access to, setting itself to be restarted [scheduled tasks, adding to the startup jobs], reaching out on the local net and to SMB mounted drives, etc, and I do worry about that stuff easily undone.   Once a privileged account is breached [again, IMO], though, your system is pretty well cooked.

meta question: drive-by web downloads — if you normally run with javascript disabled [via noscript in FF] does that mitigate the danger of drive-by-malware?

Reply | Quote

more good news on the ransomware front

https://www.bleepingcomputer.com/news/security/netwalker-ransomware-dark-web-sites-seized-by-law-enforcement/

wonder who keeps the seized assets? they should return the funds to unfortunate victims.

1 user thanked author for this post.

Microfix

Reply | Quote

There is a link in the krebs comments (translate to language of choice) allowing people to check their email address. I suspect most reading askwoody are more than sufficiently educted to avoid the problem but those who service clients with potentially affected computers may like to take advantage of the email check service.

Reply | Quote

The site to check for hacked email address is : https://haveibeenpwned.com/

Reply | Quote

Law enforcement has started to distribute an Emotet module to infected devices that will uninstall the malware on April 25th, 2021.

Europol: Emotet malware will uninstall itself on April 25th

1 user thanked author for this post.

rc primak

Reply | Quote