Aaron Mulgrew by Aaron Mulgrew | | Blog

malware warning on screen

Banking trojans are once again topping the malware charts. Amid all the exotic trojan names, variants and mutations, one stands out head and shoulders above all others. It’s Emotet.

Concealed in Office Documents

Emotet is a banking trojan designed to be hard to detect and to steal bank account and credit card details. It is concealed in Microsoft Office documents and delivered either as an attachment to an email or as a download link. Emotet is one of the most active pieces of malware ever seen and the attackers work full time ensuring that defences are always playing catch up.

Evading Detection

A good indicator of the effectiveness of a piece of malware, is to run it by a website that hosts all the major anti-malware technologies on the market and see how it fares in evading detection. When Deep Secure researchers did this with a sample of Emotet comprising a malicious macro embedded inside a Word 97 .doc file, around 75% of the anti-malware technologies on the site correctly identified it as a threat.

So far, so good, except even the slightest change to the Emotet sample saw the success rate plummet. Adding a simple HELLO WORLD comment line to the macro script saw the percentage of anti-malware technologies correctly identifying the sample as malicious falls to 34%. Taking this modified version of Emotet and copying and pasting it into a different Word document with different body content saw the success rate fall to a mere 20%.

The changes are trivial but the fact that the resulting sample is declared safe by so many of the anti-malware technologies we all rely on, highlights a problem. All the anti-malware technologies hosted on the aforementioned website rely on detection and detection simply can’t keep pace with a piece of malware like Emotet that is constantly changing and being refined.

Zero Trust and Emotet

At Deep Secure we’ve developed a zero-trust threat removal platform to deal with threats like Emotet. Our Threat Removal Platform works on the premise that because you can’t be certain whether you have or haven’t detected the presence of something like Emotet in a document, the only sensible approach is not to trust any document, but to guarantee all documents are safe by transforming them into new, safe files.

This transformation process involves extracting any useful business information from the document, and leaving any threats behind, before creating a clean copy for the end-user with this information – all of which is performed in real time. This type of threat removal guarantees 100 % threat-free documents because none of the original digital file is ever delivered to the endpoint.

Threat Removal has benefits across the organization from risk mitigation to user productivity. Most important of all, deployed along the organizational perimeter it finally offers a permanent vaccine against the threat of Emotet and any other piece of malware concealed in data.

See Document Transformation In Action
Sign up for a Free Trial



View all posts