The malware known as Emotet has emerged as “one of the most prevalent ongoing threats”, as it increasingly targets state and local governments and infects them with other malware, according to the cybersecurity arm of the Department of Homeland Security. Emotet was first identified in 2014 as a relatively simple trojan for stealing banking account credentials. Within a year or two, it had reinvented itself as a formidable downloader or dropper that, after infecting a PC, installed other malware – such as the Trickbot banking trojan and the Ryuk ransomware. Over the past month, Emotet has successfully burrowed into Quebec’s Department of Justice and increased its onslaught on governments in France, Japan, and New Zealand. It has also targeted the Democratic National Committee. Emotet has a number of troubling features, including the ability to spread to nearby Wi-Fi networks, worm-like features that steal administrative passwords, and email thread hijacking.
Whilst usually hard to detect, the Emotet malware has notably been frustrated by ESET protection, even leading Emotet writers to drop comments into their code in irritation.
The resurgence of Emotet this year has been particularly dangerous and governments around the world have been warning about it. I\’m glad to see CISA pushing the messaging and bringing awareness to this serious threat. What’s troubling is that so many City, County, and State authorities are still running older tech which makes them far more vulnerable to attacks, and to data exfiltrations, as well as to innuendo about the security and reliability of our upcoming elections.
Emotet has been around since 2014 and is usually spread through an email that contains a doc or malicious link, usually with language pertaining to an invoice or necessary payment, and these days even on shipping updates. Once someone clicks the link or opens the malicious document, it collects your contacts list and proceeds to email those contacts pretending to be you. Those contacts are then placed at a huge risk because the email they’re receiving is usually from someone they know (you), so they trust the link or doc attached.
Emotet also spreads by pushing out common passwords to try to get into other connected systems. And it doesn’t stop there – bank trojans, TrickBot, and QakBot are all usually spread by Emotet. Trickbot uses the same method as WannaCry to spread by utilizing Microsoft SMB aka EternalBlue. We’ve especially seen it in the U.S., Canada, and Europe, stealing banking credentials and collecting financial data.
Tips to stay safe: a) be up to date with all the latest patches, especially with Microsoft Windows; and b) never download attachments or click any links until you have a second verification that the person sent the item to you – this can be via a text, a call, internal messaging, etc.
The Cybersecurity and Infrastructure Security Agency (CISA) warning about the surge in Emotet malware infections is appropriate, but a little late, as other countries had issued warnings a month before. It is another example of malware authors using professional development cycles to keep their malicious wares relevant.
Organizations are in a constant state of \”catching up\” with these alerts, as the threats constantly change and evolve and security practitioners deploy their most effective tools. However, it will take a coordinated and concerted effort by governments around the world to put a dent in these international cyber criminal organizations.
The surge in evolved Emotet attacks perfectly exemplifies the need to continuously educate users on how to detect and avoid phishing emails. Although spam filters and other methods of blocking malicious emails should be in place for all organizations, it only takes one email to get through and successfully trick a user for Emotet to start moving laterally throughout a network and eventually into domain admin rights. Emotet will also hijack legitimate, existing email threads once a host has been infected, so users need to be wary of every email they receive and not just new threads from fake or spoofed addresses.
Unfortunately, it\’s inevitable that a user will eventually slip up, succumb to a phishing attack, and become infected. That\’s when Emotet starts to move laterally through the network until they become a domain admin. However, it\’s possible to block this attack by using a combination of real-time threat detection and response as well as Privileged Access Management, ultimately reducing the standing privilege in a network to zero. As long as Emotet can\’t gain domain admin privileges, the scope of the attack can be greatly reduced (which also buys time for the security team to remove the malware).
While the Emotent is an advanced trojan primarily seen to affect desktops, our data shows mobile users encountering phishing attacks at a rate of over 30% on their personal devices. This is particularly relevant in this case as phishing is the most common entry point for injecting malware into an environment.
It’s become more evident through our threat research that adversaries are extending their attacks to mobile. In many cases, desktop and mobile malware will have connections to the same command and control infrastructure. Cybercriminals are taking full advantage of this expanded attack surface.
Emotet is clever with a modular design, which is constantly updated to try and evade detection. This makes it extremely difficult to detect and fix but, as yet, it looks like it has only been created to hit Windows machines. That said, it is always worth remaining vigilant in case it is modified to attack other devices.
To remain protected, you have to be extra careful with attachments in your inbox. If you receive unsolicited Word, PDF, or other documents – no matter how harmless looking – you should be aware and act on the side of caution.