Remediating Emotet/Trickbot – Huntress Product Support

Team: Huntress EDR
Product: Emotet, Trickbot
Environment: Huntress EDR
Summary: Banking Trojans rapidly spread and self-propagate. In order to help prevent the spread of Emotet and Trickbot malware, Huntress recommends disabling administrative shares, changing passwords, and installing the MS17-010 patch for better protection.

We know dealing with an Emotet and/or Trickbot infection can be a major pain. These banking Trojans are self-propagating and can spread rapidly through a network. On top of that, they typically install other malware and sometimes ransomware. Often it seems as soon as you clean a host, it is re-infected.

We've helped dozens of Huntress partners fight Emotet and Trickbot infections. This article highlights field-tested techniques to help contain the threat, slow the spread, and begin the remediation process.

Disable Administrative Shares

Disabling Administrative Shares is highly recommended. It will help prevent hosts from re-infecting one another.

Emotet/Trickbot spreads laterally through networks via Windows administrative shares. These are the hidden shares—such as Admin$, IPC$, and C$—that are enabled by default on Windows hosts for administrative purposes. Emotet and Trickbot use a technique similar to Microsoft's PsExec tool to copy/execute payloads onto a remote victim host. This technique relies on the ability to access administrative shares. Temporarily disabling administrative shares will help to slow the spread and prevent re-infection after a host has been cleaned.

To disable the administrative shares via the registry, create a REG_DWORD value under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters registry key. The value data should be set to 0.

On Windows workstations (7, 8.1, and 10), use the value name AutoShareWks
On Windows servers (2008, 2012, and 2016), use the value name AutoShareServer

In the image below, we used "net share" to view the administrative shares, then created the AutoShareWks DWORD value, restarted the server service, and then used "net share" again to verify the administrative shares (C$, D$, and ADMIN$) were no longer present.

Note: you must restart the server service (or reboot) for the changes to the admin share to take effect.

See here for information on disabling administrative shares (applies to Windows server).

Alternatives that have the same effect

Several of our partners have used these methods successfully:

Stop and disable the LanmanServer (Server) service. If you only stop it, when the system is rebooted, the service will auto-start.
Use a Group Policy to enable the Windows Firewall, block access to port 445 (SMB).

NOTE Disabling administrative shares on servers (or disabling the Server service/blocking port 445) may prevent user's from accessing shared resources and will also prevent Windows domain authentication.

Change Passwords

In order to access the administrative shares on remote hosts, Emotet and Trickbot will attempt to reuse stolen credentials and impersonate access tokens from a compromised host. It may also attempt to brute force the local administrator's password. Repeated re-infections are an indication that Emotet and/or Trickbot have gathered administrative credentials on a host or are running as a user belonging to an administrative group. With this in mind, we suggest changing each host's local administrator password to something unique ( Microsoft's LAPS can ease this burden if within an Active Directory environment). Additionally, you will need to consider the risk that your local and domain users' passwords may have been collected and follow your local procedures for this process.

Install MS17-010 Patch

Verify you have the MS17-010 patch installed. The patch is a fix for the vulnerability that was exploited to spread WannaCry ransomware in 2017. The exploit was later added to Emotet.

Deploy the Huntress Agent Throughout the Network

We often see hosts that are re-infected even after it appears that all the malicious files have been removed from the network. Typically we find there was an infected host that was powered off or did not have the Huntress Agent installed. If passwords were not changed and administrative shares were not disabled, as soon as this "offline" host was powered on it would start infecting other hosts.

If you have new Emotet and/or Trickbot services, review the event log from the host specifically looking for event id 4697. This is the service creation event. The log should show what account/computer created the service, which may help to identify compromised accounts and other hosts.

What to Expect from Huntress

Depending on the extent of the infection we may temporarily disable incident reports. If hosts are constantly getting re-infected, new incident reports will be generated each time. We've seen networks with hundreds of infected hosts that were constantly re-infecting one another. Our goal is not to flood your ticket queue with new reports for hosts that have already been reported.

Should you choose to remediate, you have the option of using Assisted Remediation which will attempt to remediate an incident automatically. Huntress also provides a PowerShell script that may help. The script can be customized based on the details included in the incident reports. Note the script is provided as-is and we are unable to support it.

Once the re-infection rate has slowed, we will resume sending incident reports.

If you have any questions, please do not hesitate to contact Huntress support using the button below or by email at support@huntress.io.