Combatting Emotet – the world’s most dangerous malware

Emotet – the ‘world’s most dangerous malware’ – is an infamous trojan delivered via infected files or links that can auto-execute on devices without any user interaction. It can then swiftly seize control of devices and networks, downloading additional payloads along the way such as ransomware or info-stealers.

As such, it’s seen as particularly dangerous, with over 2.7 million cases detected since late last year in a new wave of attacks – this time using Excel files to disguise its presence. According to CISA, it costs upwards of $1 million to clean up each incident.

Designed to evade antivirus solutions, the first step in the chain of infection involves tricking the potential victim into opening an attached Microsoft Office file using social engineering. After the file has been opened and macros enabled, there is no need for additional user action because the file contains malicious Visual Basic for Applications (VBA) code that runs after a document has been opened.

The VBA code utilizes Windows Management Instrumentation (WMI) to launch a PowerShell code which downloads the payload – a malicious executable file from the webserver. From there, networks and devices are at significant risk of widespread infection.

How Glasswall Handles Emotet Attacks

Glasswall stops Emotet-infected files by removing macros, preventing information leakage and repairing broken document structures. Glasswall Content Disarm and Reconstruction (CDR) instantly removes the threat presented by Emotet, with no ‘protection delta’ – the time before antivirus and sandboxing tools are updated to protect against new threats.

This is achieved via a four-step process:

Step 1 – Inspect

Three layers of the incoming file are inspected to verify that its digital DNA complies with the manufacturer’s specification, and the system corrects any deviations instantly.

Step 2 – Clean

High risk active content such as macros and embedded links are cleaned and removed from the original file (based on company policy), so only the users who need active content receive it.

Step 3 – Rebuild

The file is rebuilt to the authorised manufacturer’s standard, ensuring the file is clean and threat-free.

Step 4 – Deliver

The user instantly receives a safe, identical file that’s compliant, standardized, and trusted. This reduces the risk of malicious code hidden in malware from entering, therefore maintaining business continuity.

By removing VBA macros and metadata, Glasswall ensures the file’s binary structure conforms to the manufacturer’s specification. Crucially, it does so before the user is exposed to any risk, meaning the ‘Glasswalled’ file is released in a safe state with no malicious Emotet content.

‍