CISA Issues Warning About Increase in Emotet Malware Attacks

A warning has been issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about a recent increase in Emotet malware attacks.

Emotet was first detected in 2014 and was initially developed to steal banking credentials, but it has seen considerable development over the past five years and is now is a highly sophisticated Trojan.

In addition to stealing banking credentials, Emotet can steal passwords stored in web browsers and the credentials files of external drives. Modules have been added that allow it to propagate via email and download other malware variants. The malware has been used to infect devices with cryptocurrency miners and cryptowallet stealers, the TrickBot banking Trojan, and Ryuk ransomware. These additional payloads are often downloaded weeks, months, or even years after the initial Emotet infection.

Emotet malware is primarily delivered via spam email. Initially, the malware was spread by JavaScript attachments; however, the threat actors behind the malware have now switched to Office documents with malicious macros that run PowerShell commands that download the malware. If the email attachment is opened and content is enabled, Emotet will be silently downloaded and executed. Spam emails containing hyperlinks to malicious websites have also been used to deliver the malware.

Emotet malware is persistent. It inserts itself into running processes and creates registry entries to ensure it is run each time the computer boots. Once a victim’s computer has been infected it is added to the Emotet botnet. The computer will then be used to distribute copies of Emotet to the victim’s contacts via email. According to SecureWorks, Emotet steals the first 8KB of all emails in the inbox. That data is used to craft new messages to contacts containing real message threads and replies are sent to unread messages in the inbox. This tactic increases the likelihood of the recipient opening the message and file attachment. Campaigns have also been detected using email attachments that imitate receipts, shipping notifications, invoices, and remittance notices.

In addition to propagation via email, Emotet enumerates network resources and writes itself to shared drives. It also brute forces domain credentials. If Emotet is detected on one computer, it is probable that several others are also infected. Removing Emotet can be problematic as cleaned devices are likely to be reinfected by other infected computers on the network.

The Emotet botnet was inactive for around 4 months from May 2019 but sprung back to life in September. Emotet activity suddenly stopped again in late December and remained quiet until January 13, 2020 when massive spamming campaigns resumed. Proofpoint detected one spam campaign targeting pharma companies that saw around 750,000 emails sent in a single day.

“If successful, an attacker could use an Emotet infection to obtain sensitive information. Such an attack could result in proprietary information and financial loss as well as disruption to operations and harm to reputation,” warns CISA in its January 22, 2020 alert.

CISA suggests the following steps should be taken to reduce the risk of an Emotet malware attack:

  • Block email attachments that are often associated with malware (.exe, .dll, .js etc.)
  • Block email attachments that cannot be scanned by anti-virus software (e.g. .zip, .rar files)
  • Implement Group Policy Object and firewall rules.
  • Ensure anti-virus software is installed on all endpoints
  • Ensure patches are applied promptly and a formalized patch management process is adopted
  • Implement filters at the email gateway
  • Block suspicious IP addresses at the firewall
  • Restrict the use of admin credentials and adhere to the principle of least privilege
  • Implement DMARC
  • Segment and segregate networks
  • Limit unnecessary lateral communications

Detailed CISA guidance on blocking Emotet and remediating attacks can be found on this link.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.