HC3 Cautions Healthcare Industry Concerning Increasing Threat from Emotet Malware

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has released an alert to the healthcare industry concerning the risk from Emotet malware. Emotet was initially discovered in 2014 and was originally a banking Trojan; nonetheless, the malware is now updated and includes new features. Besides working as a banking Trojan, the malware has a dropper for sending other variants of malware and is provided to other cybercriminal organizations as an infrastructure-as-a-service (IaaS) model. Attackers use Emotet to send a selection of malware variants such as IcedID, Qbot, Trickbot, Azorult, and ransomware payloads like BitPaymer and Ryuk.

As per Europol, Emotet is the most threatening malware variant worldwide infecting one in five companies. Information from Malwarebytes shows that 80% of malware attacks at healthcare companies used Trojans, most commonly Emotet. Europol thinks that Emotet is the most harmful malware used today.

In late 2020, an international law enforcement operation targeted the MUMMY SPIDER threat group, which operates Emotet. Several cybersecurity organizations from Canada, the U.S., and Europe were successful in taking down the Emotet infrastructure in January 2021 and eradicating the disabled malware from affected systems in April 2021.

Although Emotet activity was halted, not long after the MUMMY SPIDER started restoring the botnet. Last November 2021, security experts identified new Emotet activity when the botnet was being rebuilt. As per HC3, the current command-and-control infrastructure of Emotet contains 246 systems (and increasing), and the updated malware has an improved dropper and different loader. The number of attacked devices is increasing at an unbelievable rate.

Emotet malware is mostly transported via email, in most cases through malicious Office attachments or links that go to unsecure websites where the payload is downloaded. Sometimes, Emotet is also delivered through brute force attacks and when exploiting vulnerabilities. According to Proofpoint, the tactics, techniques, and procedures (TTPs) were updated and new means of delivery are being tested, such as emails with links to OneDrive. These new strategies are being tested in small campaigns to check their success and may be used in bigger campaigns. Proofpoint additionally states that the threat group could have altered tactics and may keep on doing more restricted attacks on chosen targets.

Emotet can hijack email threats, self-propagate, and inserts a duplicate of itself into the emails that are mailed to contacts. This means of distribution is very useful, as the emails circulating the malware are from popular and trustworthy sources, which raises the odds of the attachments being viewed. In January, malware was discovered distributing Cobalt Strike onto attacked systems.

The best strategy to block attacks is to employ layered protection. HC3 has given an evaluation of the malware and the TTPs being used for sending the malware in the threat alert. There are also recommended consulting government resources and proposed mitigations.