- The attack began with a phishing email that was opened by an internal employee.
- The trojan managed to evade all detection systems as it was controlled by the attacker’s command and control (C2) server.
Microsoft has shared details of an Emotet attack on an organization referred to by the fake name, Fabrikam. The incident is described in Microsoft’s Detection and Response Team (DART) Case Report 002, where Fabrikam is an alias for the victim organization.
About the attack
According to Microsoft’s account of incident response for a company it refers to as Fabrikam, the attack began with a phishing email that was opened by an internal employee. Later, this resulted in a series of events that led to a week-long shut down of the organization’s core services by maxing out CPUs.
Evading detection while infecting
The trojan managed to evade all detection systems as it was controlled by the attacker’s command and control (C2) server. Five days later after the victim employee’s credentials were extracted by the phishing email attachment, the trojan was delivered and executed on Fabrikam’s PCs.
Soon after, the malware started targeting more employees of Fabrikam and their external contacts using stolen credentials. Eventually, the malware managed to take over the control of the entire network by gaining access to the admin account.
Within eight days, the entire network of the organization had crashed despite the best efforts from the IT department of the entity. All the PCs connected to the network experienced overheating, freezing, abrupt shutdowns, and reboots due to the Blue Screen of Death (BSOD).
The attack had brought down the entire organization to its knees including the 185-surveillance camera networks.
What actions were taken?
Since Emotet paralyzed the whole network of Fabrikam, Microsoft recommended the targeted organization to deploy email filtering tools to avoid potential phishing attacks and multi-factor authorization. Apart from this, Microsoft also uploaded a new antivirus signature to improve detection for the Emotet malware.