Share this article on:
Following a period of dormancy between February 2020 and July 2020, the Emotet botnet sprang back to life and recommenced spam runs distributing the Emotet Trojan. Since August 2020, attacks on state and local governments have increased sharply, prompting the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) to issue a cybersecurity alert for all industry sectors.
The Emotet botnet resumed activity in July with a massive phishing campaign using messages with malicious Word attachments and hyperlinks. Since then, multiple spam runs have been conducted which typically consist of more than 500,000 emails. The Emotet Trojan is a dangerous banking Trojan which is used as a downloader of other types of malware, notably the TrickBot and Qbot Trojans. The secondary payloads in turn deliver other malware payloads, including Ryuk and Conti ransomware.
One infected device could easily result in further infections across the network. Emotet infects other devices in a worm-like fashion, creating multiple copies of itself which are written to shared drives. Emotet also brute forces credentials and distributes copies of itself via email. Emotet is capable of hijacking genuine email threads and inserting malicious files. Since the emails appear to have been sent by known contacts in response to previously sent messages, there is a higher probability of the email attachments being opened.
The Trojan is continuously evolving using dynamic link libraries and regularly has new capabilities added. The capabilities of the Trojan make it difficult to eliminate from networks. The Trojan can be removed from infected devices, but they can quickly be reinfected by other compromised devices on the network.
CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC) have been collecting data on Emotet attacks and Emotet loader downloads since botnet activity resumed in July. CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, identified around 16,000 alerts about Emotet activity since July, including potentially targeted attacks on state and local governments. Compromises have also been reported in Canada, France, Italy, Japan, New Zealand, and the Netherlands.
CISA regards Emotet as one of the most prevalent ongoing threats, and its secondary malware payloads of TrickBot and Qbot are also significant threats, as are the ransomware payloads they deliver.
The phishing emails used to distribute the Emotet loader are diverse and often change. COVID-19 themes emails have been used this year along with many lures aimed at businesses. The email attachments are typically malicious Word documents, although password protected zip files have also been used to evade anti-spam and anti-phishing solutions. The emails often claim that attachments have been created on mobile device and require the user to enable content (and by doing so enable macros) to view the files.
To prevent Emotet malware attacks, CISA and MS-ISAC recommend adopting cybersecurity best practices which include applying protocols to block suspicious attachments, including attachments that cannot be scanned by AV solutions such as password-protected files. Antivirus software should be used on all devices and set to update automatically, suspicious IPs should be blocked, DMARC authentication and multi-factor authentication should be implemented, organizations should adhere to the principle of least privilege, and should segment and segregate networks and disable file and printer sharing services (if possible).
The full list of recommended mitigations are detailed in the CISA alert.