Remediating Emotet/Trickbot

We know dealing with an Emotet and/or Trickbot infection can be a major pain. These banking trojans are self propagating and can spread rapidly through a network. On top of that, they typically install other malware and sometimes ransomware. Often times it seems as soon as you clean a host, it is re-infected.

We've helped dozens of Huntress partners fight Emotet and Trickbot infections. This article highlights field tested techniques to help contain the threat, slow the spread, and begin the remediation process.

Disable Administrative Shares

This is highly recommended. It will help prevent hosts from reinfecting one another.

Emotet/Trickbot spreads laterally through networks via Windows administrative shares. These are the hidden shares—such as Admin$, IPC$, and C$—that are enabled by default on Windows hosts for administrative purposes. Emotet and Trickbot use a technique similar to Microsoft's PsExec tool to copy/execute payloads onto a remote victim host. This technique relies on the ability to access administrative shares. Temporarily disabling administrative shares will help to slow the spread and prevent re-infection after a host has been cleaned.
To disable the administrative shares via the registry, create a  REG_DWORD value under  HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\LanmanServer\ Parameters registry key. The value data should be set to 0.
  • On Windows workstations (7, 8.1, and 10), use the value name AutoShareWks
  • On Windows servers (2008, 2012, and 2016), use the value name AutoShareServer

In the image below, we used "net share" to view the administrative shares, then created the AutoShareWks DWORD value, restarted the server service, and then used "net share" again to verify the administrative shares (C$, D$, and ADMIN$) were no longer present.

Alternatives that have the same effect. Several of our partners have used these method successfully.

  • Stop and disable the LanmanServer (Server) service. If you only stop it, when the system is rebooted the service will auto-start.
  • Use a Group Policy to enable the Windows Firewall, block access to port 445 (SMB).

NOTE Disabling administrative shares on servers (or disabling the Server service/blocking port 445) may prevent user's from accessing shared resources and will also prevent Windows domain authentication.

Change Passwords

In order to access the administrative shares on remote hosts, Emotet and Trickbot will attempt to reuse stolen credentials and  impersonate access tokens from a compromised host. It may also attempt to brute force the local administrator's password. Repeated re-infections are an indication that Emotet and/or Trickbot have gathered administrative credentials on a host or are running as user belonging to an administrative group. With this in mind, we suggest changing each host's local administrator password to something unique ( Microsoft's LAPS can ease this burden if within an Active Directory environment). Additionally, you will need to consider the risk that your local and domain users passwords may have been collected and follow your local procedures for this process.

Install MS17-010 Patch

Verify you have the  MS17-010 patch installed. The patch is a fix for the vulnerability that was exploited to spread WannaCry ransomware  in 2017. The exploit was later added to Emotet.

Deploy the Huntress Agent Throughout the Network

We often see hosts that are re-infected even after it appears that all the malicious files have been removed from the network. Typically we find there was an infected host that was powered off or did not have the Huntress Agent installed. If passwords were not changed and administrative shares were not disabled, as soon as this "offline" host was powered on it would start infecting other hosts.

If you have new Emotet and/or Trickbot services, review the event log from the host specifically looking for event id 4697. This is the service creation event. The log should show what account/computer created the service which may help to identify compromised accounts and other hosts.

What to Expect from Huntress

Depending on the extent of the infection we may temporarily disable incident reports. If hosts are constantly getting re-infected, new incident reports will be generated each time. (We've seen networks with hundreds of infected hosts that were constantly re-infecting one another.) We do not want to inundate your ticket queue for hosts that have already been reported.

We will send a list of all the infected hosts as well as instructions to customize this remediation script for the particular infection. (Trickbot periodically changes the service names it uses. We will provide the commands required to remove Trickbot based on the service names we are seeing on your network.) 

Once the re-infection rate has slowed, we will start sending incident reports again.

If you have any questions, please do not hesitate to contact Huntress support at support<@>huntress.io.

Still need help? Contact Us Contact Us