EDR catches Emotet at MSP’s Healthcare Customer

The Network: A Managed Service Provider (MSP) installed Netsurion Essentials with EDR to mitigate threats on 900 endpoints at a Community Health network in the North Eastern United States.

The Expectation: Netsurion Essentials with endpoint threat detection and response capability would deliver end-to-end protection.

The Catch: Netsurion’s SOC (Security Operations Center) observed an unsafe MD5 hash and network connection activity with a malicious IP address which was permitted by the installed (and up to date) Anti-Virus.

The Find: We detected a connection with a poor IP address reputation due to suspicious threat activity. Netsurion’s security analyst used the advanced logic in Netsurion SIEM, and quickly discovered that Emotet malware was active in the customer’s environment. The security analyst was able to trace the path of the attack as shown in the figure below:

Track Path

The user launched MS Word on a Windows 10 desktop and was enticed into enabling macros. This caused two actions, the launch of an EXE in C:ProgramData and a PowerShell command to be launched. The EXE in C:ProgramData was intercepted by the Anti-Virus program but the PowerShell command was allowed which dropped a file called 379.exe in the temp folder and a clone of this file called defineguids.exe under AppDataLocal. Notice the MD5 hash of both 379.exe and defineguids.exe is the same. In addition defineguids.exe also contacted three public IP addresses which are known to be Command & Control (C&C) Emotet infections.

The original EXE defineguids.exe is Microsoft provided but this one is malware. The Anti-Virus signature definitions at the time of this attack allowed these EXEs but have since been updated so that this infection will now be blocked. 

The Fix: Netsurion’s SOC promptly alerted the MSP to the compromise. All identified malicious hashes and IP addresses were immediately moved to an unsafe list for process termination on the infected system.
As a part of the Netsurion’s threat intelligence distribution process, all indicators of compromise (IoC) and hashes were shared among the same business tenant to identify and thwart any present and future threats across all the MSP’s numerous clients.

The identified systems were taken off the network. Once the threats were mitigated, the systems were cleared and reconnected to the healthcare organization’s network.

The Lesson: Traditional signature based Anti-Virus is easily defeated by the modern attacker. File-less malware (in this case PowerShell based) is able to evade such defenses. EDR technology with application control is far more effective. The 24/7 SOC was quick and responsive in detecting the infection and providing actionable intelligence. The integrated SIEM and EDR capability was instrumental in detecting the other elements of the kill-chain.



What is Emotet and how does it work?

What is Emotet and how does it work? What is Emotet today? Discover how Emotet came to be and what it has evolved to. Also, get a first hand account of how Netsurion protected its customers against Emotet and continues to do so to this day.