CISA Warns About Increasing Emotet Malware Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about the increase of Emotet malware attacks recently.

The first detection of Emotet was in 2014 and it was used for stealing banking credentials at first. But it has developed considerably over the past five years and is currently a very sophisticated Trojan.

Besides stealing banking information, Emotet can steal passwords stored in web browsers and the credentials files of external drives. Modules were included that enable it to propagate via email and download other malware variants. The malware was employed for infecting devices with crypto wallet stealers and cryptocurrency miners, the TrickBot banking Trojan, and Ryuk ransomware These other payloads are usually downloaded weeks, months, or even years after the initial Emotet infection.

Emotet malware is mainly delivered by using spam email. At first, the malware was distributed by JavaScript attachments; but, the threat actors behind the malware switched to Office documents containing malicious macros that utilize PowerShell commands to download the malware. When the email attachment is opened and content is enabled, the download and execution of Emotet will begin quietly. Spam emails that contain hyperlinks to malicious sites were also used to install the malware.

Emotet malware persistently inserts itself into running processes and creates registry entries to make sure it is run every time the computer boots. Following the infection of a victim’s computer, it is included in the Emotet botnet. The computer will then be employed to send out copies of Emotet to the contacts of the victim via email. As per SecureWorks, Emotet takes the first 8KB of all emails in the inbox and use it to create new messages to contacts containing real message threads and replies land in the unread messages in the inbox. This strategy increases the likelihood that the recipient would open the message and file attachment. Campaigns were also detected using email attachments that copy receipts, shipping notices, invoices, and remittance notices.

Besides propagation through email, Emotet enumerates network resources and writes itself to networked drives. It likewise brute forces domain credentials. In case Emotet is found on one computer, it is probable that many others are equally infected. Removing Emotet could be serious as cleaned devices could be reinfected by other infected computers on the network.

Since May 2019, the Emotet botnet was not active but it reactivated in September. Emotet activity all of the sudden stopped once more in late December and stayed quiet until January 13, 2020 when substantial spamming campaigns began again. Proofpoint discovered one spam campaign targeting pharma firms that had 750,000 emails sent in a day.

An attacker could successfully use an Emotet infection to acquire sensitive information. Such an attack can cause proprietary information and financial trouble along with disruption to operations and ruin reputation.

CISA recommends taking the following action steps to minimize the danger of an Emotet malware attack:

  • Stop email attachments that are frequently linked to malware (.exe, .dll, .js etc)
  • Block email attachments e.g. .zip, .rar files because they could not be scanned by anti-virus software
  • Apply Group Policy Object and firewall policies.
  • Make sure to install anti-virus software on all endpoints
  • Make sure to apply patches promptly and adopt a formalized patch management process
  • Apply filters at the email gateway
  • Use firewall to obstruct suspicious IP addresses
  • Minimize the use of admin credentials and follow the principle of least privilege
  • Use DMARC
  • Segment and isolate networks
  • Restrict unneeded lateral communications

Complete CISA guidance on stopping Emotet and protecting against attacks is available on this link.