This article is designed to help Sophos customers who have detections for the Emotet or TrickBot malware. While these two malware families are different, often networks infected with one will also have the other as well. This is primarily due to Emotet spreading across a network and additionally downloading TrickBot as it goes. These two threats are very advanced and fast moving, they also use different techniques to achieve their goals and removing both of these involves taking the same actions. In this article, we cover the basic points worth knowing about these threats, how to remove them and how to improve your security to help prevent getting infected again in the future.
The following sections are covered:
Often referred to as a banking trojan or worm. It is a very advanced threat that is updated multiple times a day by the cybercrooks controlling it. It has 3 primary goals:
Traditionally, the payloads have mostly been banking Trojans, with TrickBot being the most prevalent. Other payloads have included Qbot, Dridex or IcedID. There is also a connection between Emotet and a very dangerous targeted ransomware family called BitPaymer.
In July 2018 the U.S. Department of Homeland Security said in an alert:
"Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment."
Similar to Emotet, TrickBot is also referred to as a banking trojan and worm. It does a lot of similar activities to Emotet, for example constantly trying to spread to other computers and updating itself multiple times a day. Its primary goal is to steal the users' money by accessing their online bank and PayPal accounts. TrickBot is arguably more advanced than Emotet as is has additional techniques it uses to spread, for example:
Additionally to this, TrickBot is modular, meaning the attackers can pick and choose which type of attack they want to do.
In September 2018 the UK's National Cyber Security Centre published an advisory saying:
"Trickbot is reported to have a range of malicious capabilities, including the ability to:
Customers who have active outbreaks of Emotet and/or TrickBot may see the following detections:
The following are also likely to be seen, although are not exclusive to Emotet/TrickBot:
Another indication of an Emotet infection is additional malicious services created on the machine. This is due to how Emotet installs itself on a machine, creating randomly named numeric services, which in turn try to run another randomly named executable in the C:\Windows location.
This example shows 4 Emotet services that have been created on an infected machine, often there will be many more than this created:
Note: If you have already resolved an Emotet infection but have Emotet services left on a machine, please see this article: How to Delete Orphan [Numeric] Emotet Windows Services
Due to the advanced, fast moving and polymorphic nature of these threats, you need to consider your entire network, concentrating on getting the basic protection steps in place first. If you don't do this and instead concentrate efforts on individual computers and suspicious files you are unlikely to ever get ahead of the infection and regain control of the network.
It is vital to understand the difference between a computer that is infected and one that is just affected. Below is a simplified example of how an Emotet infection typically starts.
It is vital to understand this difference, if you are concentrating on looking at detections that are being reported from Sophos protected computers that are being affected, it means you may be looking at malicious files being detected and removed right away, causing no harm but triggering an alert. When in reality the infected computers that don't have any Anti-Virus on them aren't in the Sophos Management Console and therefor aren't sending you any alerts. It is the infected hosts that are critical to find, isolate and protect first.
To protect against a future Emotet/TrickBot attack as well as resolving a current outbreak, the most important steps that must be taken are:
It is an easy assumption to make that every computer on your network has Anti-Virus installed, however unless you are confident you actually know about every computer on your network you can't be sure they all have Anti-Virus. There are many ways of identifying devices on your network and you may already have methods of doing this. The option that works best for you could depend on network size and segmentation. One of the most common methods is to do a network scan and let it detect what is on the network at that moment. One free and simple tool to use is the Advanced IP Scanner.
Using this, you will be able to quickly generate a list of devices active on your network. You can use this to cross check the devices listed in your Sophos management console.
Sophos provides a free tool called the Source of Infection (SOI) tool. The SOI tool is not an Anti-Virus product, it will not detect or remove any malware. What it will do, if left running on a computer, is log every file that is written to the computer while SOI is running. It will provide a log file with a list of every file that was written, its full file path, the date and time it was written and if it was written by a local or network process. For local processes, it will list the name and path of the file that wrote it. If it was a network process, it will list the remote IP address or computer name. By looking at the log file and identifying files that look suspicious or were subsequently detected by Sophos on that machine, you can identify the machines these files came from or potential undetected malware on the machine running SOI.
The best scenario to use SOI in is where you have a protected machine that is repeatedly getting detections. Once SOI is running you will need to leave it running and wait for the next detection or suspicious file to be written to the machine, then use the log to identify where it came from. To download and use SOI, follow the instructions below.
First, identify a computer you want to run SOI on, ideally the one that is repeatedly reporting malware detections.
This will launch the SOI tool, the CMD window needs to remain open and closing it will stop SOI. Once a new malware detection has occurred on the computer (this make take anywhere from seconds to days depending on the situation) you can stop SOI by closing the CMD window.
Note: It is often worth leaving SOI running until you have identify the information you are looking for in the log. It might be multiple infected machines are dropping files across the network and the longer you leave SOI running the higher the chance of capturing this information in the log.
The SOI log can be found here: %temp%\Source of Infection Log.csv
%temp%\Source of Infection Log.csv
This is a simple CSV file which could be opened in Microsoft Excel or any text editor. The example below shows two suspicious files that were written to the computer from a remote network location. In this example those two IP addresses are the infected hosts that should be located, isolated and protected to stop the further spreading of more malicious files.
For more information on SOI, please see these articles:
As Emotet and TrickBot are very advanced threats and there is no single layer of security that will stop them, you need multiple layers of detection techniques in place to make it as difficult as possible for them to infect and spread. The best combination of Sophos products on your endpoints are included in the Sophos Intercept X Advanced with EDR license. For best protection on servers it is the Sophos Intercept X for Servers license. Both of these licenses are managed from the Sophos Central management console.
For additional information about other Sophos products that can be used to stop an infection before it reaches a computer, we recommend speaking to your Sophos Partner about the XG Firewall and Sophos Sandstorm.
If you are already using Sophos Central, check if the policies are using the recommended (best practice) settings by doing the following:
Note: We recommend testing any policy changes on limited group of computers before rolling it out to your entire network.
Servers are done in a similar way:
Note: New protection features may not be included in the recommended settings right away, these will be displayed at the top of your policies and listed as New and these should be enabled as well.
IMPORTANT: It is essential to ensure you also have Sophos Tamper Protection enabled, this is what protects Sophos processes, files etc. from being tampered with by malware. Login to the Central console and select Global Settings > Tamper Protection.
For customers using Sophos Anti-Virus managed by the Enterprise Console, you can find a complete list of best practice settings and how to configure them here: Sophos Enterprise Console and Sophos Endpoint: Recommended settings for Anti-Virus and HIPS.
Additionally you can use the Policy Evaluation Tool (PET) to review your policy settings, these will highlight settings that aren't configured to best practice: Sophos Enterprise Console - Sophos Policy Evaluation Tool.
IMPORTANT: It is essential to ensure you also have Sophos Tamper Protection enabled, this is what protects Sophos processes, files etc. from being tampered with by malware. In the Enterprise Console select your Tamper Protection policy and ensure both Tamper Protection and Enhanced Tamper Protection are enabled and have a password set for them.
EternalBlue is an exploit that takes advantage of a vulnerability in Microsoft SMB, it was used notably by the WannaCry ransomware to spread and is now being used by a variety of different malware families, including TrickBot. While it is not the only method TrickBot uses to spread, by patching machines and removing this method as an option, will not only make it harder for TrickBot but also protect you against other malware using EternalBlue.
The patch for EternalBlue was released in the Microsoft update: MS17-010, for the official Microsoft article explaining how to verify if a machine is patched or not, please see: How to verify that MS17-010 is installed.
Additionally to this Sophos has provided a simple PowerShell script that can be run on individual machines to confirm if they are patched: How to Verify if a Machine is Vulnerable to EternalBlue - MS17-010.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.