Recently, one of Cyberseer’s customers was hit with a “Malspam” campaign aiming to plant the Emotet malware within its network.
The original e-mail was sent to a distribution group which quickly escalated the situation. As this was a new campaign for that day, the client’s e-mail gateway had no matching signatures and allowed the malicious e-mail to end up in a number of users' inboxes.
What is Emotet?
Emotet accounted for 57% of all banking trojan payloads in Q1 2018 with a steady number of infections and daily new campaigns throughout the year. First reported in 2014 as a banking trojan, Emotet has evolved into a malware delivery botnet that takes advantage of social engineering techniques to compromise a machine.
Infection usually begins with a user being sent a phishing e-mail containing a malicious Word document or a link to a malicious URL.
Upon opening the malicious document, a combination of obfuscated VBA scripts/macros instructs the target machine to download a remote payload consisting of a number of different modules.
Figure 1 - Emotet Activity 
Previously downloaded payloads have included:
Banking infostealer - Intercepts network traffic from the browser to steal banking details entered by the user.
The command contains 5 hardcoded URLs serving a number of different payloads. Connections to these URLs are how the incident was first identified by Cyberseer analysts.
As soon as the URL was connected, signatureless models first breached for connections to the domains and then the download of the payload. Taking a step back, these external connections were 100% anomalous for this network environment
Figure 3 - Initial connections
Pivoting into the network logs, a quick investigation of the external domains reveals 5 users had become a victim of this attack -
Figure 4 - Devices associated
Drilling deeper into the connections from one of the associated devices and looking at a PCAP we can confirm the download of the malicious payloads:
Figure 5 - Executable seen in PCAP
Carving the payloads from the PCAP we get the following exe files -
Cyberseer Analysts were able to rapidly investigate the file and contact the client. Luckily the downloaded executables were unable to execute due to permissions, allowing for them to be successfully quarantined and remediated before a further compromise could occur.
This scenario highlights how traditional signature-based approaches are not enough to adequately defend a network against constantly evolving, new unknown threats. A machine-learnt behavioural approach to security is able to detect threats ahead of other traditional solutions, allowing a faster response to potential breaches.
Security technologies that require signatures and blacklists to be updated will always be one step behind the attackers and never be able to detect new unknown threats in real time.