• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Jobs
  • Career
    • Cyber Security Training
    • Work from Home
    • Cyber Security Analyst
    • Remote Work – Six Ways to Keep Your Data Safe When Working Remotely
  • Field Guide
  • Newsletter Signup
  • Deals
  • News
AskCyberSecurity.com

AskCyberSecurity.com

Cyber Security News & Information

  • Home
  • Data Privacy
    • Gamers
    • Government Cyber Security
      • Legislation
      • Standards
        • What are the risks of computer security?
        • Medical Cyber Security
    • Social Media
  • Security
    • Data Breaches
    • Scams
    • Malware
  • Software
    • Apps
    • Web Browsers
  • Glossary
    • Cyber Security Acronyms
  • About Ask Cyber Security
    • Authors
    • Contact Us
  • VPN
    • How Do I Know If My VPN is Working?
    • Best Free VPN iPhone
    • Why Use a VPN?
    • NordVPN vs IPVanish
    • Private Internet Access Download
    • Best VPN for Streaming
      • TikTok VPN
    • VPN Porn
    • Computer Security Software – What You Really Need
  • Tutorials
  • ChatGPT
    • Does ChatGPT Save Data?
AskCyber Home » News » News » DHS Warns of Increased Emotet Malware Attacks

DHS Warns of Increased Emotet Malware Attacks

2020-01-27 by Michelle Dvorak

CISA Warning Emotet Malware

Emotet Malware is Attacking Private Businesses and Small Governmental Organizations Costing Businesses Millions to Recover

Increased Emotet Malware Activity

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warns of a recent increase in targeted Emotet malware attacks on public and private sector businesses. The warning, Alert (TA18-201A), involves Emotet Malware which is also a top destructive malware infecting state, local, tribal, and territorial (SLTT) governments. Attacks have cost up to $1 million USD to remediate.

Emotet’s primary threat is that it is a carrier or dropper for more banking Trojan malware. If a user believes they are infected with malware run an antivirus scan on the infected computer or network and isolate the infected devices.

How Does Emotet Malware Infect an IT System?

Emotet malware is a banking Trojan. It spreads primarily via malicious email attachments. The malware attempts to expand its infection within an IT network by brute force attacks on user credentials and by writing to shared drives. Victims are tricked into clicking on an email attachment which initiates a malware download. A malware dropper like Emotet can download even more malware to a victim computer. Emotet spreads quickly through an organization’s IT system resulting in a rapid network-wide infection.

Emotet malware is among the most costly and destructive malwares currently attacking state, local, tribal, and territorial governments as well as businesses in the private and public sectors. Some Emotet malware attacks have cost SLTT governments up to $1 million per incident to remediate.

What is Malware?

Malware is any unwanted file or computer code. It may include adware that pops up annoying advertisements or malicious programming that steals money or locks up a computer network and holds it for ransom. Malware includes computer viruses, worms, adware, spyware, and ransomware.
A malware infection is often initiated with a malicious email that ricks a recipient into clicking on a link or downloading a malicious file.

Emotet Malware Description

Emotet can evade typical signature-based detection by virus scanners. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve its capabilities. Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.

How is Emotet Spread?

Emotet is disseminated through malspam which are emails with malicious attachments or phishing links. Like all email cyber attacks, the emails use names and content that are familiar to the target. Recent campaigns impersonate PayPal receipts, shipping notifications, or “past-due” invoices purportedly from MS-ISAC.
Initial Emotet infection occurs when a victim opens a malicious email attachment or clicks the malicious download link. The attachment files are PDF or weaponized, macro-enabled Microsoft Word documents. Once downloaded, Emotet attempts to propagate the local IT networks using spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator.

Impact of Emotet Malware Infection

  • Loss of sensitive data
  • Disruption of normal operations
  • Monetary losses due to inability to conduct business
  • Costs to restore IT systems and files

The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and CISA recommend that administrators follow best practices to stop or limit malware attacks.

  • Control client-to-client SMB communication. Create a Group Policy Object that restricts inbound SMB connections to clients originating from clients
  • Use antivirus programs with automatic updates
  • Apply appropriate security patches and updates as they become available
  • Filter emails at the email gateway with known malspam markers such as known malicious subject lines
  • Block suspicious IP addresses at the firewall
  • Request that all suspicious emails received by employees be forwarded to the IT department
  • Mark emails from external senders to alert employees that the email originates from outside the organization
  • Block file attachments that are associated with malware, such as .dll and .exe files
  • Block email attachments that cannot be scanned by antivirus software (e.g. .zip files)
  • Grant users the minimum level of access required to accomplish their job
  • Implement Domain-Based Message Authentication, Reporting & Conformance (DMARC)

CISA Recommends Follow Best Practices To Defend Against Emotent Malware

  • Educate employees on how social engineering and phishing attacks work
  • Train employees not to open emails with suspicious subject lines or preheaders
  • Train employees not to click links in suspicious emails. Users should hover over a link with their mouse (without clicking) to verify the destination link. If the link is shortened, users should forward the email to their IT department for mitigation
  • Employees should be instructed to never give usernames, passwords, or personal information in emails or during unsolicited phone calls

If a user or organization believes they may be infected, NCCIC and MS-ISAC recommend running an antivirus scan on the IT system and taking action to isolate the infected machines. If multiple workstations are infected, the following actions are recommended:

  • Identify, shutdown, and take the infected machines off the network
  • Take the network offline to stop the spread of the malware
  • Identify the infection source
  • Do not log in to infected systems using domain or shared local administrator accounts
  • Reimage the infected machine(s)
  • Move clean systems to a network that is segregated from the infected network
  • Require password resets for all credentials
  • Review the log files and the Outlook mailbox rules (like auto-forward all emails) for the infected user account to stop further compromises

Review the following resources for information about defending against malware including Emotent

  • CISA Alert Emotet Malware
  • Australian Cyber Security Centre (ACSC) Advisory Emotet Malware Campaign
  • CISA Tip Protecting Against Malicious Code

Filed Under: News Tagged With: Emotet

About Michelle Dvorak

Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers


LinkedInTwitterFacebook

Primary Sidebar

Subscribe to Our Free Newsletter

We Don't Share or Sell Your Info

Web Browsers

Where Are My Saved Passwords in Chrome?

Google Removes 70 Malicious Browser Add-ons from Chrome Web Store

Firefox 75 Reports Your Browser Settings to Mozilla

Categories

Cyber Security Field Guide

Computer Security While TravelingGet Our Cyber Security Field Guide - Available on Amazon!

Recent Posts

Security Marketing Manager – Remote

Sr. Associate, Cybersecurity Architect – Pfizer

Strategic Customer Success Manager – Cybersecurity – Opportunity for Working Remotely

Top 20 Passwords Leaked on Dark Web

ISU Cybersecurity Leader Job Opening

Cyber Security News

Top 20 Passwords Leaked on Dark Web

… [Read More...] about Top 20 Passwords Leaked on Dark Web

Apple Warns of Actively Exploited Zero-Day Flaw

… [Read More...] about Apple Warns of Actively Exploited Zero-Day Flaw

IRS Stops Facial Recognition System for Online Access

… [Read More...] about IRS Stops Facial Recognition System for Online Access

National Cybersecurity Alliance Announces Data Privacy Week

… [Read More...] about National Cybersecurity Alliance Announces Data Privacy Week

More Cyber Security News

Tags

amazon Android Apple bitcoin China chrome CISA credit card DarkSide DHS DOJ Equifax Europe Facebook facial recognition FBI Firefox FTC games GDPR Google Government hacker identity theft India iPhone Iran IRS LinkedIn Microsoft North Korea PayPal phishing phishing email ransomware REvil Russia smartphone T-Mobile TikTok tutorial VPN WhatsApp WiFi Windows

Government

CBP Looks to Access Airline Passenger Data

FTC Releases Cyber Threat Video Playlist

Malware Found on US Government Funded Phones

UK NCA Reaches Out to Youth to Deter Cybercrimes

More Posts from this Category

Footer

Menu

  • Home
  • About
  • Authors
  • Newsletter Signup
  • PRIVACY POLICY

Search

Why Use a VPN?

NordVPN vs IPVanish VPN Review

NAVIGATION

  • Data Breaches
  • Data Privacy
  • Gamers
  • Scams
  • Malware

MEMBER NJCCIC

New Jersey Cybersecurity & Communications Integration Cell

STAY CONNECTED

  • Facebook
  • Instagram
  • Pinterest
  • YouTube
  • Twitter
  • RSS

Copyright © 2023 · AskCyberSecurity.com · METRONY, LLC

Go to mobile version