Emotet Malware Causes Physical Damage

Microsoft is reporting that an Emotet malware infection shut down a network by causing computers to overheat and then crash.

The Emotet payload was delivered and executed on the systems of Fabrikam — a fake name Microsoft gave the victim in their case study — five days after the employee’s user credentials were exfiltrated to the attacker’s command and control (C&C) server.

Before this, the threat actors used the stolen credentials to deliver phishing emails to other Fabrikam employees, as well as to their external contacts, with more and more systems getting infected and downloading additional malware payloads.

The malware further spread through the network without raising any red flags by stealing admin account credentials authenticating itself on new systems, later used as stepping stones to compromise other devices.

Within 8 days since that first booby-trapped attachment was opened, Fabrikam’s entire network was brought to its knees despite the IT department’s efforts, with PCs overheating, freezing, and rebooting because of blue screens, and Internet connections slowing down to a crawl because of Emotet devouring all the bandwidth.

The infection mechanism was one employee opening a malicious attachment to a phishing email. I can’t find any information on what kind of attachment.

Posted on April 6, 2020 at 11:26 AM16 Comments

Comments

Dancing On Thin Ice April 6, 2020 3:10 PM

This is fake news; the actual victim company was Contoso 🙂

The phrase “fake news” is overused, it originally was applied to totaly made up crap like the National Enquirer or InfoWars.
Fabrikam is the equivalent of Dragnet stressing just the facts in their intro: “The story you are about to see is true. The names have been changed to protect the innocent” (or protect us from being sued for slander or divulging sensitive information)

Clive Robinson April 6, 2020 3:42 PM

@ Bruce, ALL,

Emotat malware infection shut down a network by causing computers to overheat and then crash.

The overheating and crashing may be entirely accidental not deliberate as the result of poorly configured computers[1].

Emotet has a “brutforcing” module to try to get credentials,

https://thehackernews.com/2020/02/emotet-malware-wifi-hacking.html

As most should remember from the Bob Morris Worm days, unless the person developing such a system takes significant care you get an exponential resource requirment that leads to a runaway issue[2] one side effect of which is things fail to function.

Thus it’s entirely possible that the brute force module is now incorrectly set for some reason[1]. The result is the CPU etc overheats and firstly “soft fails” moving on with time to “hard fails”. There are CPU’s out there which were ment for low power usage, that have this soft fail to hard fail charecteristic anyway, many of them ended up in lower cost devices such as NAS boxes and lower end battery powered devices.

It would be nice to see data on the machines that failed.

[1] I’ve been told unoficialy that the timeline says it started happening after a “CPU hardware fix” appeared. However I’ve not seen any actual evidence other than the times involved. If anyone knows more on this I for one would sure like to know about it, because it could identify vulnerable machines before they are attacked, and as they say “An ounce of prevention is worth a ton of cure”.

[2] As most design engineers of machines be they mechanical, electronic or quantum know runaway resource issues lead to failures. It’s like putting a “nitro kit on a Mini Engine and keeping your foot on the peddle” fairly quickly something will “burn out”.

Clive Robinson April 6, 2020 3:47 PM

@ Dancing On Thin Ice,

@Steve Friedl’s comment is a joke from start to finish.

“Contoso” is the fake company name Microsoft use in their MS Office and other training information for quite some time now.

Clive Robinson April 6, 2020 3:54 PM

@ Bruce,

I can’t find any information on what kind of attachment.

History suggests you might be looking for attachrd document attack via the likes of an MS Office “macro” style payload, it’s been used in the past with Emotet.

A dubious person April 6, 2020 4:01 PM

@Bruce: I read both the bleepingcomputer article and the Microsoft advertisement (because that’s what it is) behind it, and did not see any reference to actual physical damage, a claim you repeat in your headline. Shutdowns are what happens when motherboard temp sensors detect overheating, so that’s the hardware working as it’s supposed to; bluescreens on Windows systems are also generally transient problems. Did I miss something?

I also didn’t see any explanation whatsoever of what the malware was actually doing to monopolize the CPUs and network bandwidth as claimed. That makes me wonder what this was really all about. The attack otherwise appears to be mere credential stealing for impersonation fraud. CPU-stealing is generally about crytocoin mining, and network saturation is either a really badly coded propagation algorithm or straight-up DoS, but none of those seem to apply here. So those are claims that raise many questions but answer none.

I did see a number of overwrought BS-meter-triggering claims, with this particular one standing proud: “When the last of their machines overheated, Fabrikam knew the problem had officially spun out of control.”

(Seriously? The company’s IT people were blissfully unaware of an ongoing security incident until EVERY SINGLE MACHINE had gone down? If I were the IT manager at “Fabrikam” I’d be considering a libel suit against MS over that characterization.)

The MS writeup even suggests that they tried to RDP in to figure out why the client’s network was completely unusable, as if that weren’t something a “certified professional” could have predicted.

I also don’t have any idea what their networked surveillance cameras have to do with any of this, so I figure that mentioning that is just more puffery, to make things sound scarier to people who don’t know any better, which I will admit is the obvious audience for all this.

The gist of the MS dog-and-pony doc seems to be that this poor company was blindsided by a highly novel and devious attack that they never would have thought to defend against, and it took the genius white knights of MS’ premium-paid-support to save them from a fate worse than death and teach them some brilliant new schemes to protect against such inventive troublemakers. The conclusions and recommendations are a similar combination of shallow obviousness and MS-cheerleading, basically amounting to “use more (of MS’) automated security,” which seems just a bit tone deaf considering that this all started with phishing (i.e, the ignorance of a typical business PC user was the initial system failure). They even include a gratuitous and ironic statistic to suggest that phishing with evil MS-Office attachments is not a big problem nowadays, when it was apparently not only the initial infection vector, but also the primary spreading mechanism.

I wouldn’t go so far as to tell anyone here not to bother digging any deeper into this, because there are certainly lessons to be learned. I just don’t think any of them are the lessons that the article and MS paper think they’re teaching. As a case study for skeptical inquiry and critical thinking, maybe.

Phaete April 6, 2020 4:24 PM

Re: Attachment.

The picture says that the initial user got a warning that the file would be opened with cmd.exe.
So it looks not like a document but rather obfuscated script or start command for file in temp or similar.

Phaete April 6, 2020 4:36 PM

This smells like a cheap outsourced IT company (i haven’t checked out above company name story yet)
Just in my home network i would get email/text as soon as an important machine overheats or stops responding.
On (more?) professional networks i expect to see DNS monitoring, webserver content monitoring, database monitoring and a whole slew more.
I read 185 cameras, same here, monitor them and know when the’re broken or disabled etc.
I’m smelling incompetence, either by the IT company or the person who selected which one to use.

Sancho_P April 6, 2020 5:56 PM

I’d be cautious with anything Mi$o reports.
Also strange: What is the name of the vulnerable OS? And they take money to help?

Most of the machines I see from my neighborhood are (old and) dirty, esp. the laptops have their heat exchanger clogged. Also the thermal compound is dried out. Running at the CPU thermal limit will damage nearby capacitors quickly.
Lesson to learn: Open your boxes and clean in time!

Dave April 7, 2020 12:34 AM

Could this be related to Windows 10’s “Modern Sleep”, which will actually cook computers, particularly laptops?

If you’re not familiar with the issue, google “windows 10 modern sleep overheating” or similar.

Clive Robinson April 7, 2020 4:19 AM

@ Sancho_P,

Lesson to learn: Open your boxes and clean in time!

You mean,

    Cleanliness is next to Gödeliness

Clive Robinson April 7, 2020 5:01 AM

@ Dave,

Could this be related to Windows 10’s “Modern Sleep”, which will actually cook computers

As far as I was aware from others the “Modern Sleep” issue on Win10 was due to audio and wifi/network interupts preventing the stanby entering into the low power “DRIPS” mode of CPU operation.

It appears that MS assumed that the laptop was being used as an “office desktop” and that things like “updates” and “Cortina” system should remain active…

Thus if you think the laptop is in a low power state and you put it in a protective sleeve and in your backpack/bag you are in effect moving around with it in a zero air movment environment. So if you check it after while you will probably make the observation of,

It’s hot. Damn hot! Real Hot!

(I’ve left off the “shorts” and “cooking” part of the “Good morning Vietnam” quote 😉

A dubious person April 7, 2020 3:12 PM

Re: email attachments handled by CMD.EXE

I’d assumed that the attachment in the phishing emails would be an MSOffice document, or perhaps a PDF[1]. The thought that Outlook would actually launch a command-prompt process to run a .BAT attachment disgusts me well beyond my usual disgust for Outlook.

If it’s even possible to misconfigure one’s official corporate MUA so stupidly, I’d suggest that said MUA is simply Unfit For Purpose. The follow-on thought that “Fabrikam”‘s IT people would be so clueless as to allow such behavior on their internal systems does not surprise me much, given the way that the MS shill-job paints them as a bunch of incompetents.

  1. With most PDF reader programs “helpfully” including the enabled-by-default[2] ability to silently execute arbitrary Javascript code, PDFs are potentially even more dangerous than Office docs. A curious feature to find in a file format that purports to be “read/print only.”

  2. At least with Adobe’s attractive-nuisance Acrobat Reader, anyway; I don’t know whether Preview, or Foxit, or any other common alternatives share this misfeature. I’m grateful that xpdf doesn’t, or I’d have to start a scratch VM with no network access every time I wanted to look at a PDF.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.