After a period of dormancy from February 2020 to July 2020, the Emotet botnet is now back and started spam runs sending the Emotet Trojan. From August 2020, attacks on local and state governments have gone up, compelling the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) to give a cybersecurity warning for all industry fields.
The Emotet botnet started again its activity in July by using a huge phishing campaign sending messages along with malicious Word attachments and URLs. From then on, several spam runs were carried out which usually include over 500,000 emails. The Emotet Trojan is a harmful banking Trojan that is utilized as a downloader of other kinds of malware, remarkably the Qbot and TrickBot Trojans. The secondary payloads consequently send other malware payloads, such as Ryuk and Conti ransomware.
One infected device can quickly cause more infections throughout the network. Emotet infections of other devices happen in a worm-like manner, producing numerous copies of itself that are written to shared drives. Emotet likewise brute forces credentials and sends duplicates of itself through email. Emotet could hijack authentic email threads and put in malicious files. Considering that the emails seem like they were delivered by identified contacts in reply to earlier sent emails, there is a greater possibility of the email attachments being clicked to read.
The Trojan is constantly changing employing dynamic link libraries and frequently has new abilities included. The abilities of the Trojan make it hard to get rid of them from systems. The Trojan may be eliminated from infected systems, however, they could easily be reinfected with other infected units on the network.
The Multi-State Information Sharing & Analysis Center (MS-ISAC) and CISA were gathering information on Emotet attacks and loader downloads when botnet activity started again in July. The EINSTEIN Intrusion Detection System of CISA, which safeguards government, civilian executive branch networks, discovered about 16,000 warnings about Emotet activity beginning in July, which include potentially targeted Emoted attacks on state and local governments. Compromises were also documented in Italy, France, Canada, Japan, the Netherlands and New Zealand.
CISA looks at Emotet as among the most widespread continuing threats. The secondary malware payloads of TrickBot and Qbot are likewise considerable threats, like the ransomware payloads they transmit.
The phishing email messages employed to spread the Emotet loader are different and frequently change. COVID-19 related email messages were utilized this year together with numerous baits focused at companies. The email attachments are usually malicious Word files, though password protected zip files were used as well to avert anti-spam and anti-phishing tools. The email messages usually claim that attachments were produced on mobile gadgets and necessitate the user to allow content (and in that way enable macros) to access the files.
To avoid Emotet malware attacks, MS-ISAC and CISA suggest
- implementing cybersecurity guidelines such as
- implementing protocols to prohibit suspicious attachments and email attachments that can’t be checked by AV solutions for instance password-protected documents.
- using Antivirus software program on all units and configuring updates on auto-pilot
- suspicious IPs must be blacklisted
- use DMARC authentication and multi-factor authentication
- companies must stick to the principle of least privilege, by segmenting and isolating networks and turning off file and printer sharing services (when possible)
The complete list of suggested mitigations is given in the CISA advisory.