TrickBot or Emotet remediation workflow

Follow these steps to remediate a TrickBot or Emotet infection.

Introduction

The TrickBot or Emotet malware suite is one of the more pervasive and effective ones in the wild right now. It leverages several techniques and infection vectors to spread through an environment and gain persistence on compromised devices.

For effective protection, we recommend Intercept X Advanced with EDR.

If you have an active TrickBot or Emotet incident, we recommend contacting us and purchasing our Managed Threat Response Service. This is a highly trained team that can assist in your remediation and provide root cause analysis.

Check your devices

Make sure your devices are up to date and protected. To check your devices, do as follows:

  1. Make sure every device on your network has a working and updated version of Sophos Endpoint Protection.

    We don't recommend attempting to remediate a TrickBot or Emotet infection with Sophos Anti-Virus (on-premise). Sophos Anti-Virus doesn't have some of the features and tools effective in protecting against Trickbot or Emotet and help with remediation

  2. Update or remove any devices using old operating systems that you can't install Sophos Endpoint on or get appropriate Windows updates.
    1. Make sure your devices have all appropriate Windows security patches.

    A single system that is unprotected or unpatched can infect other devices that are protected and patched.

  3. Turn off any devices running any version of Windows 2008 that isn't Windows 2008 R2, or Windows 2003 XP, or earlier versions during remediation. Remove these devices from your network due to their risk of spawning a new outbreak.

    This list of operating systems will change as versions of Windows become unsupported. For more information on our current system requirements, see Sophos Central Windows Endpoint System Requirements or Sophos Central Windows Server System Requirements.

Define the scope of the problem

Don't assume every device in your network is protected and that you know every device on your network. There are many ways of identifying devices on your network, and you may already have methods of doing this. The option that works best for you depends on your network size and segmentation.

One of the most common methods is to do a network scan and detect what is on the network at that moment.

You can use third-party tools to do this, such as Advanced IP Scanner.

If you don't want to use a third-party tool, you can use Source of Infection. This is a free Sophos tool. It isn't an antivirus product, and it won't detect or remove any malware. You leave it running on a device, and it logs every file that is written to that device. It generates a log file containing a list of every file written. For each file, the log file contains the full file path, the date and time written, and whether a local or network process wrote it. For local processes, it lists the name and path of the file that wrote it. For a network process, it lists the remote IP address or device name. You can then use the log file to identify the devices that contain potential undetected malware. For example, you can use it to investigate a protected device that is repeatedly getting detections, even after multiple remediation attempts. Repeated detections indicate that another device in the network is infected and is attempting to re-infect your protected device. Source of Infection can help you find that infected device.

You can find out more information about Source of Infection in the following knowledge base articles:

To scan your network, choose from the following options:

  • Use Advanced IP Scanner. See Advanced IP Scanner.

    This is a free and straightforward tool.


    Screenshot of the Advanced IP Scanner tool.
    It generates a list of active devices on your network that you can cross-check against the devices listed in your Sophos management software.
  • To use Source of Infection, do as follows:
    1. Download Source of Infection, see SourceOfInfection.zip.
    2. Move it to the device you want to investigate.
    3. Extract SourceOfInfection.exe to the root of the C drive.
    4. Open Command Prompt as an administrator.
    5. Find and run SourceOfInfection.exe.
    6. Press Enter to run the command.
    7. Leave Source of Infection running. You must leave the command prompt window open to do this.
      Note You may have multiple infected devices attempting to infect other devices on your network. The longer you leave Source of Infection running, the more likely you will capture this information in the log.
    8. When a new malware detection occurs on the device, stop Source of Infection by closing the command prompt window.

      A new malware detection can happen in seconds or days, depending on your situation.

    9. Review the log file to find out the source of the infection. You can find the log file in %temp%\Source of Infection Log.csv.

      The log file is a CSV file, which you can open in Microsoft Excel or any text editor.

      The following example shows two suspicious files written to the device from a remote network location. These two IP addresses are likely infected devices.


      Example Source of Infection log file showing two infected hosts.
    10. Repeat this process for all the devices you want to investigate.
    11. Find, isolate, and protect any infected devices to prevent malicious files from spreading.

Check your protection

Sophos has recommended settings for threat protection. These use multiple layers of protection. These settings give protection against infection and aid the cleanup of infections. To check your protection, do as follows:

  1. Check if you're using our recommended settings in your threat protection policies.
  2. If you aren't using our recommended settings, turn on these settings in your threat protection policies.
  3. If you don't want to use all of our recommended settings, you must turn on the option that sends data on suspicious files and network events to Sophos Central for computers and servers. It's needed later in the remediation process. To do this, do as follows:
    1. Sign in to Sophos Central Admin.
    2. Click Endpoint Protection > Policies and turn on Allow computers to send data on suspicious files and network events to Sophos Central.
    3. Click Server Protection > Policies and turn on Allow servers to send data on suspicious files and network events to Sophos Central.

Patch your devices

Make sure that all your devices have the latest Windows security patches. You must make sure that you include the patch for the EternalBlue exploit. TrickBot or Emotet uses this exploit as one of its methods of spreading.

EternalBlue is an exploit that takes advantage of a vulnerability in Microsoft SMB, which was used notably by the WannaCry ransomware to spread. Patching devices and removing this infection vector makes it harder for Trickbot or Emotet and protects you against other malware using EternalBlue.

Microsoft released the patch for EternalBlue in Microsoft update: MS17-010. The official Microsoft article explains how to verify if a device has the patch. See How to verify that MS17-010 is installed.

Sophos has a simple PowerShell script that can be run on individual computers to confirm if they have the patch. For more information about this, see How to Verify if a Machine is Vulnerable to EternalBlue - MS17-010.

To patch your devices, do as follows:

  1. Check if your devices are vulnerable to EternalBlue.
  2. Update your devices with the latest Windows security patches.

Scan and clean your devices

Scan your devices to find out how many you have TrickBot or Embotet infections. You then need to clean your devices to prevent reinfections.

To do this, do as follows:

  1. Make sure that all devices are patched and have Intercept X Advanced installed.
  2. Run a full scan on all of your devices. To scan a device, do as follows:
    1. Sign in to Sophos Central Admin.
    2. Click Endpoint Protection > Policies or Server Protection > Policies.
    3. In Threat Protection, click the policy assigned to the users, computers, or servers you want to check.
    4. Click Settings and scroll down to Scheduled Scanning.
    5. Turn on Enable scheduled scan.
    6. Set a time to run the scan.

      A scan needs the devices to be turned on and active.

    7. Turn off Enable deep scanning – scans inside archive files (.zip, .cab, etc.) and Scan all files.

      You need to do a full scan to index all the files. These additional settings slow down indexing or can prevent the scan from completing on some devices.

  3. After the full scan, you need to clean up the infection through Sophos Central Admin. To do this, do as follows:
    1. Sign in to Sophos Central Admin and click Threat Analysis Center > Threat Searches.
    2. Search the common malware drop locations.
      • C:\
      • C:\Windows
      • C:\Windows\System32
      • C:\Windows\Syswow64
      • C:\ProgramData
      • C:\Users\<Username>\AppData\Roaming\<random name>.
    3. Go to one of the malware drop locations and click Network connections.

      This limits the list to only executable files that perform network connections. TrickBot or Emotet attempts to spread and needs to perform network connections.

    4. Look for executable files that stand out to you or that you're unsure about.
    5. For each of these files, click Generate a new threat case and Request latest intelligence from within the Threat Case to get further information.
    6. Check the data and click Clean and block, if necessary.

    If you need more information on a file, submit a sample, see How to submit samples of suspicious files to Sophos.

  4. Check Threat Cases and Alerts for new and recent detections. Look for signs of TrickBot or Emotet detections.
    • CXmal/Emotet-C
    • HPmal/Emotet-D
    • HPmal/TrikBot-G
    • Mal/EncPk-AN
    • HPmal/Crushr-AU
    • Troj/Inject-DTW
    • Troj/LnkRun-T
    • AMSI/Exec-P
    • Troj/Emotet-CJW
  5. Check for the following detections:
    • Mal/Generic-R
    • Mal/Generic-S
    • ML/PE-A
    • Code Cave
    • APC Violation
    • Safe Browsing
    • LoadLib
  6. Repeat this process for each file in Threat Searches.
  7. Clean up any infected files.
  8. Restart all your devices to clear any infections in memory.
  9. Repeat these steps until no signs of TrickBot or Emotet remain.

Final remediation

If you're still getting detections, then there's an infection on a device in your network.

TrickBot or Emotet infections persist in a file and fileless form. To remediate them, you need to reduce their ability to replicate in both forms. For more information on how this malware functions, see Resolving outbreaks of Emotet and TrickBot malware.

To find the remaining infected devices, do as follows:

  1. Repeat the steps in this workflow.
  2. If you can't find the source of the detection, click Threat Analysis Center > Threat Searches and check these locations where TrickBot or Emotet has been found.
    • C:\Windows\<A Randomly Named EXE>
    • C:\windows\system32\<A Randomly Named EXE>
    • C:\Windows\Syswow64\<A Randomly Named EXE>
    • C:\stsvc.exe
    • C:\Users\<username>\AppData\Roaming\<A Randomly Named EXE>
    • C:\Users\<username>\AppData\Roaming\<Six-Letter-Folder>
    • C:\ProgramData\<Randomly Named EXEs>
  3. When you find the executable file that is avoiding detection, Submit a Sample.
  4. If you can’t find the executable file, contact Sophos MTR Rapid Response or Support.