Microsoft has published a case report detailing its response to a massive Emotet attack that brought down an entire enterprise network, evading antivirus software and overheating all its Windows machines. The infection began when an employee opened a malicious attachment.
The Microsoft Detection and Response Team (DART) reports an attacker sent "a swarm" of phishing emails to employees at Fabrikam, an alias it gave to the client company to protect its identity. One recipient opened a file attached to the email; as a result, their credentials were sent to the attackers' command-and-control server and granted the intruders machine access.
This access was what they needed to launch their broader plan, which was to spread Emotet throughout the network. Emotet, an automated malware, is used to collect data on businesses and individuals for theft and fraud through banking Trojans and other credential-theft tools. It's a polymorphic virus, meaning it updates itself with new definitions every few days, DART says. Attackers delivered updates from their C2 infrastructure to bypass firewalls and antivirus tools.
Four days after gaining credentials into Fabrikam, the attackers used the initial infected account to send phishing emails to other employees on the network. Many common email filters don't scan messages sent internally, and employees typically trust emails sent from an internal account. As a result, more employees clicked malicious attachments and downloaded malware.
"Working via admin accounts, it spread credential-stealing Trojans across employee accounts and used them to authenticate itself within the network," DART officials explain in their case study. "Fabrikam didn't have any network visibility tools in place, so for the next twenty-four hours Emotet wormed its w ..
Support the originator by clicking the read the rest link below.
