CISA Gives a Warning on the Rise of Emotet Malware Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an advisory regarding the rise of Emotet malware attacks lately.

The first discovery of Emotet was in the year 2014 and it was employed for stealing banking details in the beginning. However, it has developed substantially over the last five years and is today an extremely advanced Trojan.

Aside from stealing banking details, Emotet could steal usernames and passwords saved in internet browsers and the credentials records of external drives. Modules were incorporated that let it multiply through email and install other variants of malware. The malware was utilized for exploiting devices with cryptowallet stealers and cryptocurrency miners, the Ryuk ransomware and the TrickBot banking Trojan. These extra payloads are typically brought in weeks, months, or even years following the first Emotet infection.

Emotet malware is chiefly sent through spam email. In the beginning, the malware was propagated by JavaScript attachments; then, the threat actors responsible for the malware turned to Office documents having malicious macros that use PowerShell commands to install the malware. After the email attachment is accessed and content is activated, the download and execution of Emotet will begin quietly. Spam emails with hyperlinks to malicious web pages were likewise employed to download the malware.

Emotet malware continually installs itself into running processes and generates registry entries to make certain it is run whenever the computer boots. After the infection of a victim’s computer, it is put in the Emotet botnet. The computer will then be utilized to spread copies of Emotet to the contact persons of the victim through email. As stated by SecureWorks, Emotet rips off the first 8KB of all email messages in the inbox and utilizes it to write new communications to contacts that contain real message threads and responses go to the unopened messages in the inbox. This method boosts the chances that the receiver would read the email message and file attachment. Campaigns were likewise discovered utilizing email attachments that mimic receipts, shipping communication, invoices, and remittance notifications.

Apart from propagation by using email, Emotet enumerates network sources and installs itself to linked drives. It additionally brute forces domain credentials. When Emotet is seen on one computer, it is likely that a few others are in addition infected. Removing Emotet may be troublesome as cleaned systems can be reinfected through other infected computer systems on the network.

Since May 2019, the Emotet botnet was non-active however it became active again in September. Emotet activity out of the blue stopped once again in late December and kept quiet up to January 13, 2020 when considerable spamming campaigns started again. Proofpoint identified one spam campaign focused on pharma vendors that had 750,000 email messages received in one day.

Threat actors can successfully utilize an Emotet infection to get sensitive data. Such an attack may bring about proprietary information and financial difficulties and disruption to business operations and damage reputation.

CISA advises taking these measures to lower the threat of an Emotet malware attack:

  • Deter email attachments that are usually related to malware (.exe, .js, .dll etcetera)
  • Use the Group Policy Object and firewall protocols.
  • Block email attachments e.g. .rar, .zip files because they can’t be scanned by an anti-virus software program
  • Be sure to install an anti-virus software program on all endpoints
  • Use filters at the email gateway
  • Be sure to apply patches immediately and adopt an official patch management process
  • Employ firewall to stop suspicious IP addresses
  • Segment and separate networks
  • Limit the usage of admin credentials and stick to the rule of least privilege
  • Employ DMARC
  • Control unwarranted lateral contacts

Extensive CISA guidance on obstructing Emotet and minimizing attacks can be found here.