HC3 Warns Healthcare Sector About Growing Threat from Emotet Malware

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to the healthcare sector about the threat from Emotet malware. Emotet was first detected in 2014 and was initially a banking Trojan; however, the malware has been updated over the years and has had new features added. In addition to serving as a banking Trojan, the malware includes a dropper for delivering other malware variants and is offered to other cybercriminal groups under the infrastructure-as-a-service (IaaS) model. Emotet has been used to deliver a range of malware variants including IcedID, Trickbot, Qbot, Azorult, and ransomware payloads such as Ryuk and BitPaymer.

According to Europol, Emotet is the most dangerous malware variant and has infected one in five organizations worldwide. Data from Malwarebytes indicates 80% of malware infections at healthcare organizations involved Trojans, and Emotet was the most common Trojan deployed in attacks on the healthcare sector. Europol considers Emotet to be the most dangerous malware currently in use.

Emotet is operated by the MUMMY SPIDER threat group, which was targeted in an international law enforcement operation in late 2020. Multiple cybersecurity agencies from the U.S., Canada, and Europe successfully took down the Emotet infrastructure in January 2021 and removed the disabled malware from infected devices in April 2021.

While Emotet activity was stopped, it didn’t take long for MUMMY SPIDER to start rebuilding the botnet. In November 2021, security researchers started to identify new Emotet activity as the botnet started to be rebuilt. According to HC3, the new command-and-control infrastructure of Emotet now consists of 246 systems (and growing), and the malware has been updated and has an enhanced dropper and new loader. The number of infected devices has been growing at an incredible rate.

Emotet malware is primarily delivered via email, most commonly via malicious Office attachments or hyperlinks to compromised websites where the payload is downloaded. Emotet has also been overserved being delivered in brute force attacks and by exploiting known vulnerabilities. Proofpoint has reported that the tactics, techniques, and procedures (TTPs) have been updated and new methods of delivery are being trialed, including emails with hyperlinks to OneDrive. These new tactics are being trialed in small campaigns to test their effectiveness and could be adopted in much larger campaigns. Proofpoint also suggests the threat group may have changed tactics and could continue conducting more limited attacks on selected targets.

Emotet is capable of self-propagation, hijacks email threats, and inserts a copy of itself into the messages which are sent to contacts. This method of distribution has proven to be highly effective, as the messages distributing the malware come from known and trusted sources, which increases the likelihood of the attachments being opened. In January the malware was observed dropping Cobalt Strike onto infected systems.

The best approach to take to block attacks is to implement layered defenses. HC3 has provided an analysis of the malware and the TTPs known to be used for distributing the malware in the threat brief, and recommends consulting government resources and implementing the suggested mitigations.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.