This knowledge base article is designed to help Sophos customers who have detection for the Emotet or TrickBot malware. While these two malware families are different, often networks infected with one will also have the other as well. This is primarily due to Emotet spreading across a network and additionally downloading TrickBot as it goes. These two threats are very advanced and fast moving, and use use different techniques to achieve their goals, but removing both involves taking the same actions. In this KBA, the basic points worth knowing about these threats will be covered as well as how to remove them, and how to improve your security to help prevent getting infected again in the future.
The following sections are covered:
Often referred to as a banking trojan or worm. It is a very advanced threat that is updated multiple times a day by the cybercrooks controlling it. It has three primary goals:
Traditionally, the payloads have mostly been banking Trojans, with TrickBot being the most prevalent. Other payloads have included Qbot, Dridex or IcedID. There is also a connection between Emotet and a very dangerous targeted ransomware family called BitPaymer.
In July 2018 the U.S. Department of Homeland Security said the following in an alert:
"Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment."
Similar to Emotet, TrickBot is also referred to as a banking trojan and worm. It does a lot of similar activities to Emotet, for example constantly trying to spread to other computers and updating itself multiple times a day. Its primary goal is to steal the users' money by accessing their online bank and PayPal accounts. TrickBot is arguably more advanced than Emotet as is has additional techniques it uses to spread, for example:
Additional to this, TrickBot is modular, meaning the attackers can pick and choose which type of attack they want to do.
In September 2018 the UK's National Cyber Security Centre published an advisory saying:
"Trickbot is reported to have a range of malicious capabilities, including the ability to:
Customers who have active outbreaks of Emotet and/or TrickBot may see the following detections:
The following are also likely to be seen, although are not exclusive to Emotet/TrickBot:
Another indication of an Emotet infection is the presence of additional malicious services created on the machine. This is due to how Emotet installs itself on a machine, creating randomly named numeric services, which in turn try to run another randomly named executable in C:\Windows.
The example below shows four Emotet services (other may have more) that have been created on an infected machine.
Note: If you have already resolved an Emotet infection but have Emotet services left on a machine, take a look at the KBA 133423 on how these services can be deleted.
Due to the advanced, fast moving and polymorphic nature of these threats, you need to consider your entire network, concentrating on making sure that basic protection is in place first. If this is not done, and efforts are instead concentrated on individual computers and suspicious files, you are unlikely to ever get ahead of the infection, and regain control of the network.
It is vital to understand the difference between a computer that is infected, and one that is just affected. Below is a simplified example of how an Emotet infection typically starts.
If you are concentrating on looking at detections that are being reported from Sophos protected computers that are being affected, it means you may be looking at malicious files being detected and removed right away, causing no harm but triggering an alert. When in reality, the infected computers that don't have any Sophos Anti-Virus on them are not in the Sophos Management Console, and are therefore not sending you any alerts. It is the infected hosts that are critical to find, isolate and protect first.
To protect against a future Emotet and/or TrickBot attack, as well as resolving a current outbreak, the following are the most important steps that must be taken:
It is an easy assumption to make that every computer on your network has Anti-Virus installed, however unless you are confident you actually know about every computer on your network, you can't be sure they all have the AV. There are many ways of identifying devices on your network, and you may already have methods of doing this. The option that works best for you could depend on network size and segmentation. One of the most common methods is to do a network scan and let it detect what is on the network at that moment. One free and simple tool to use is the Advanced IP Scanner.
Using this, you will be able to quickly generate a list of devices that are active on your network. This can be used to cross check the devices listed in your Sophos Management Console.
Sophos provides a free tool called Source of Infection (SOI). The SOI tool is not an Anti-Virus product, and it will not detect or remove any malware. What it will do, if left running on a computer, is log every file that is written to the computer. It will provide a log file with a list of every file that was written, its full file path, the date and time it was written, and if it was written by a local or network process. For local processes, it will list the name and path of the file that wrote it. If it was a network process, it will list the remote IP address or computer name. By looking at the log file and identifying files that look suspicious or were subsequently detected by Sophos on that machine, you can identify the machines these files came from or potential undetected malware on the machine running SOI.
The best scenario to use SOI in is when you have a protected machine that is repeatedly getting detections. Once SOI is running, wait for the next detection or suspicious file to be written to the computer, then use the log to identify where it came from. To download and use SOI, follow the instructions below.
First, identify a computer you want to run the SOI tool on, ideally the one that is repeatedly reporting malware detections.
Once the SOI tool is running, make sure that the Command Prompt window remains open so as not to stop the SOI. Once a new malware detection has occurred on the computer (this make take anywhere from seconds to days depending on the situation), the SOI can now be stopped by closing the Command Prompt.
Note: It is often worth leaving the SOI tool running until you have identified the information you are looking for in the log. It might be multiple infected computers are dropping files across the network, and the longer you leave the SOI tool running, the higher the chance of capturing this information in the log.
The SOI log can be found at %temp%\Source of Infection Log.csv
%temp%\Source of Infection Log.csv
This is a simple CSV file which can be opened in Microsoft Excel or any text editor. The example below shows two suspicious files that were written to the computer from a remote network location. In this example, these two IP addresses are the infected hosts that should be located, isolated and protected to stop the malicious files from further spreading.
For more information about the SOI tool, take a look at the following KBAs:
As Emotet and TrickBot are very advanced threats, and there is no single layer of security that will stop them, multiple layers of detection techniques in place are needed to make it as difficult as possible for them to infect and spread. The best combination of Sophos products on your endpoints are included in the Sophos Intercept X Advanced with EDR license. For best protection on servers, it is the Sophos Intercept X for Servers license. Both of these licenses are managed from the Sophos Central management console.
For additional information about other Sophos products that can be used to stop an infection before it reaches a computer, it is recommend that you speak with your Sophos Partner about the XG Firewall and Sophos Sandstorm.
If you are already using Sophos Central, check if the policies are using the recommended (best practice) settings by doing the following:
Note: It is highly recommended that any policy changes should be tested first on a limited group of computers before rolling it out to the entire network.
Servers are done in a similar way:
Note: New protection features may not be included in the recommended settings right away. These features will be displayed at the top of your policies and listed as New, and should be enabled as well.
IMPORTANT: It is essential to ensure that the Sophos Tamper Protection is enabled, for this is what protects Sophos processes, files etc. from being tampered with by malware. This can be seen under Global Settings > Tamper Protection.
For customers using Sophos Anti-Virus managed by the Enterprise Console, a complete list of best practice settings and how to configure them can be seen in the KBA Sophos Enterprise Console and Sophos Endpoint: Recommended settings for Anti-Virus and HIPS.
Additionally, the Policy Evaluation Tool (PET) can be used to review the policy settings of your SEC, which then highlights the settings that are not configured as per the best practice. For your reference, take a look at the KBA Sophos Enterprise Console - Sophos Policy Evaluation Tool.
IMPORTANT: It is essential to ensure that the Sophos Tamper Protection is enabled, for this is what protects Sophos processes, files etc. from being tampered with by malware. In the Enterprise Console, click your concerned Tamper Protection policy and ensure both Tamper Protection and Enhanced Tamper Protection are enabled, and that a strong password is set.
EternalBlue is an exploit that takes advantage of a vulnerability in Microsoft SMB which was used notably by the WannaCry ransomware to spread, and is now being used by a variety of different malware families, including TrickBot. While it is not the only method TrickBot uses to spread, by patching machines and removing this method as an option, it will not only make it harder for TrickBot but also protect you against other malware using EternalBlue.
The patch for EternalBlue was released in the Microsoft update: MS17-010. For the official Microsoft article explaining how to verify if a computer is patched or not, please take a look at How to verify that MS17-010 is installed.
Additional to this, Sophos has provided a simple PowerShell script that can be run on individual computers to confirm if they are patched or not. For more information about this, take a look at the KBA How to Verify if a Machine is Vulnerable to EternalBlue - MS17-010.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable for us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.