Emotet Malware leads to shutting down their entire Business Network by Overheating PCs: Starting with a phishing Email
Emotet is Trojan type malware primarily spreads with spam emails. It may look like an official business email, representing a repetitive brand name. It can
How did the attack happen?
According to DART (Microsoft Detection and Response Team), Emotet managed to sneak through all the firewall rules and software in Fabrikam (an alias name used to protect its client name by Microsoft). It has tricked one of the employees to open a malicious email attachment, handing over the login credentials to hackers. After a series of events organizations, core systems shut down by overheating the pcs.
After sneaking through all the rules in the Fabrikam, One employee opened the email, which contained the malware, handing over machine access credentials to the attackers’ C2C (command and control) server. C2 infrastructure also helped to deliver updates to malware so they can bypass the firewall rules.
Soon after four days, they have used the initial compromised account to spread the malware by sending emails to other Fabrikam’s employees and external contacts. Generally, we all trust internal account emails; even most email filters don’t filter internal emails. As a result, more computers got infected. With the help of stolen access to admin accounts, malware managed to authenticate itself within the network all the way to its infrastructure.
On the 8th day after the first malware email opened, the network crashed. Computers started to freeze, overheating, abrupt shutdowns, and rebooting. Furthermore, it even consumed all the network’s bandwidth by a DDoS(Distributed Denial of Service) attack. Since the network blockage, even the IT department was unable to diagnose the situation.
After realizing the situation is outside of their control, DART was called to Fabrikam. One team of DART went onsite with Fabrikam, while another DART team began to help remotely. One DART team went onsite with the victim, while another DART group assisted remotely.
DART had to deploy Microsoft malware detection tools, including Trials of Defender ATP (Advanced Threat Protection), Azure ATP services, Azure Security Scan, which helped to gain access to view the Fabrikam operations. Onsite DART team used deployed tools so that they can get into the network and create buffer zones to control the malware. They’ve repaired Microsoft System Center Configuration Manager allowing the system to recover. Then they made architectural changes to stop reinfecting malware and separated the asset and admin environment.
It’s better to deploy Email filters even within the organization and add multi-factor authorization for administrative directories. Additionally, It’s better to have a Network Visibility tool. These things will help you to stop the spreading malware or slow it down without damaging the entire network.