Microsoft has published a case report detailing its response to a massive Emotet attack that brought down an entire enterprise network, evading antivirus software and overheating all its Windows machines. The infection began when an employee opened a malicious attachment.
According to Microsoft’s the malware went on to infect the systems of Fabrikam (a fake name used by Microsoft for the victim in its case study) by stealing the admin account credentials authenticating itself on new systems. The attack began with a phishing email that was opened by an internal employee. Later, this resulted in a series of events that led to a week-long shut down of the organization’s core services by maxing out CPUs.
The Trojan managed to evade all detection systems as it was controlled by the attacker’s command and control (C2) server. Five days later after the victim employee’s credentials were extracted by the phishing email attachment, the Trojan was delivered and executed on Fabrikam’s PCs. Soon after, the malware started targeting more employees of Fabrikam and their external contacts using stolen credentials. Eventually, the malware managed to take over the control of the entire network by gaining access to the admin account.
Within eight days, the entire network of the organization had crashed despite the best efforts from the IT department of the entity. All the PCs connected to the network experienced overheating, freezing, abrupt shutdowns, and reboots due to the Blue Screen of Death (BSOD). The attack had brought down the entire organization to its knees including the 185-surveillance camera networks.
Since Emotet paralyzed the whole network of Fabrikam, Microsoft recommended the targeted organization to deploy email filtering tools to avoid potential phishing attacks and multi-factor authorization. Apart from this, Microsoft also uploaded a new antivirus signature to improve detection for the Emotet malware.