SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Emotet malware is on a rampage after months of silence
Thu, 10th Sep 2020
FYI, this story is more than a year old

CERT agencies around the world are reporting a surge in cyber attacks related to the Emotet malware, which is being distributed by email.

According to CERT NZ, the emails contain links and attachments that are disguised as documents such as invoices, shipping information, CVs, financial documents, or scanned documents.

“Emotet is designed to steal login credentials for email accounts configured on infected systems. The compromised credentials are subsequently passed to spam bots which send out large numbers of spam emails to further spread the malware.

“They may steal information that's in your mailbox, and use it to send emails from somewhere else. For example, they may use the content of an existing email conversation as a pretext to make the email look legitimate.

The emotet malware was first discovered in 2014. It operates as a trojan that often deploys other malware like Trickbot and Qbot, both of which are also banking trojans. The trojans can then deploy payloads such as ransomware on a network.

Several cybersecurity firms, including Darktrace, noted the return of the Emotet malware after five months of silence.

In 2018 the United States CERT published an alert saying that the Emotet malware had cost local governments up to US$1 million to remediate after being infected.

ESET cybersecurity specialist Jake Moore says, “Emotet uses the classic technique of enticing targets to click on attachments that can have damaging consequences, which just reinforces the message to think before you click.

“The simple fact is that attachment-based malware still works on organisations today and campaigns such as Emotet will continue to spread and have influxes such as this latest spike until targeted users are more cautious.”

CERT NZ recommends that people disable macros in Microsoft Office and only run macros that are trusted or digitally signed. People should also ensure that their antivirus is up to date.

Other actions for businesses include restricting PowerShell to executing scripts that are signed, setting up web and mail filters to block known Emotet documents and command and control addresses, application whitelisting, and applying the principle of least privilege.

Individuals and businesses that have been compromised by Emotet should disconnect the infected device from all networks. They should then check for any other potentially infected devices.

From there, people should re-image and patch their computers, change all passwords (with particular focus on local and domain admin passwords), let every contact know that they should not open attachments in emails appearing to come from the person associated with the infected device.

Users should then check their antivirus solutions, as well as mail and web filtering solutions. It is also wise to regularly back up systems.

Additional steps for businesses include enabling PowerShell command logging to detect infected computers, and applying network segmentation to minimise the effects on wider IT networks.