Sophos is aware of a piece of malware known as Emotet. This is a network worm that takes advantage of weak admin passwords to help spread across a victim's network. The purpose of this worm is to drop malicious payloads onto the target computers. The payload is a form of banking malware designed to steal a user’s online banking details.
IMPORTANT: Emotet is a very advanced polymorphic network worm that has multiple ways to avoid detection. Stopping this worm requires every machine on an infected network to be protected with Anti-Virus, it is also critical that you are following best practice advice. Specifically you must have Behavior Monitoring (HIPS) enabled including the Detect malicious traffic option also enabled.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Endpoint
Computers affected by this malware may see the following detections:
The detected files are executables with random names, for example: 1940C552.exe, 195CADAB.exe. You may also see detections for files with more legitimate names. Some examples are wingroup.exe, cryptcert.exe, servicelog.exe and biotime.exe.
These files normally in these locations:
Ensure all computers in the environment are protected by Sophos Anti Virus and are up to date. If there are detections for this malware do a reboot and a full scan. Repeated detections of this threat means there are unprotected machines on the network that are infected and attempting to infect other machines.
For example, there is a machine that has seen repeated detections of Mal/Emotet-E then it is not infected, it has malicious files dropped from another infected machine. These files are immediately detected and stopped. Identify which machines are attempting to drop these files across the network. Until these machines are identified, protected and cleaned, detections will appear on other machines across the network.
If you are seeing detections for C2/Generic-B, for example:
Malicious traffic detected: 'C2/Generic-B' at 'C:\Windows\System32\serverdefrag.exe' (Technical Support reference: 896012083)
Please locate the file being reported and submit it to sophos here (select 'Submit a sample' > 'File').
If you are using the Sophos Intercept X product you will be able to take advantage of the Root Cause Analysis feature to help identify the source of this malware.
To identify the machines spreading this malware, use our Source of Infection (SOI) tool. This is a simple tool that logs every file created on the machine.
This article will be updated if new information becomes available.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.