DHS Warns of Increased Emotet Malware Attacks

CISA Warning Emotet Malware

Emotet Malware is Attacking Private Businesses and Small Governmental Organizations Costing Businesses Millions to Recover

Increased Emotet Malware Activity

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warns of a recent increase in targeted Emotet malware attacks on public and private sector businesses. The warning, Alert (TA18-201A), involves Emotet Malware which is also a top destructive malware infecting state, local, tribal, and territorial (SLTT) governments. Attacks have cost up to $1 million USD to remediate.

Emotet’s primary threat is that it is a carrier or dropper for more banking Trojan malware. If a user believes they are infected with malware run an antivirus scan on the infected computer or network and isolate the infected devices.

How Does Emotet Malware Infect an IT System?

Emotet malware is a banking Trojan. It spreads primarily via malicious email attachments. The malware attempts to expand its infection within an IT network by brute force attacks on user credentials and by writing to shared drives. Victims are tricked into clicking on an email attachment which initiates a malware download. A malware dropper like Emotet can download even more malware to a victim computer. Emotet spreads quickly through an organization’s IT system resulting in a rapid network-wide infection.

Emotet malware is among the most costly and destructive malwares currently attacking state, local, tribal, and territorial governments as well as businesses in the private and public sectors. Some Emotet malware attacks have cost SLTT governments up to $1 million per incident to remediate.

What is Malware?

Malware is any unwanted file or computer code. It may include adware that pops up annoying advertisements or malicious programming that steals money or locks up a computer network and holds it for ransom. Malware includes computer viruses, worms, adware, spyware, and ransomware.
A malware infection is often initiated with a malicious email that ricks a recipient into clicking on a link or downloading a malicious file.

Emotet Malware Description

Emotet can evade typical signature-based detection by virus scanners. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve its capabilities. Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.

How is Emotet Spread?

Emotet is disseminated through malspam which are emails with malicious attachments or phishing links. Like all email cyber attacks, the emails use names and content that are familiar to the target. Recent campaigns impersonate PayPal receipts, shipping notifications, or “past-due” invoices purportedly from MS-ISAC.
Initial Emotet infection occurs when a victim opens a malicious email attachment or clicks the malicious download link. The attachment files are PDF or weaponized, macro-enabled Microsoft Word documents. Once downloaded, Emotet attempts to propagate the local IT networks using spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator.

Impact of Emotet Malware Infection

  • Loss of sensitive data
  • Disruption of normal operations
  • Monetary losses due to inability to conduct business
  • Costs to restore IT systems and files

The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and CISA recommend that administrators follow best practices to stop or limit malware attacks.

  • Control client-to-client SMB communication. Create a Group Policy Object that restricts inbound SMB connections to clients originating from clients
  • Use antivirus programs with automatic updates
  • Apply appropriate security patches and updates as they become available
  • Filter emails at the email gateway with known malspam markers such as known malicious subject lines
  • Block suspicious IP addresses at the firewall
  • Request that all suspicious emails received by employees be forwarded to the IT department
  • Mark emails from external senders to alert employees that the email originates from outside the organization
  • Block file attachments that are associated with malware, such as .dll and .exe files
  • Block email attachments that cannot be scanned by antivirus software (e.g. .zip files)
  • Grant users the minimum level of access required to accomplish their job
  • Implement Domain-Based Message Authentication, Reporting & Conformance (DMARC)

CISA Recommends Follow Best Practices To Defend Against Emotent Malware

  • Educate employees on how social engineering and phishing attacks work
  • Train employees not to open emails with suspicious subject lines or preheaders
  • Train employees not to click links in suspicious emails. Users should hover over a link with their mouse (without clicking) to verify the destination link. If the link is shortened, users should forward the email to their IT department for mitigation
  • Employees should be instructed to never give usernames, passwords, or personal information in emails or during unsolicited phone calls

If a user or organization believes they may be infected, NCCIC and MS-ISAC recommend running an antivirus scan on the IT system and taking action to isolate the infected machines. If multiple workstations are infected, the following actions are recommended:

  • Identify, shutdown, and take the infected machines off the network
  • Take the network offline to stop the spread of the malware
  • Identify the infection source
  • Do not log in to infected systems using domain or shared local administrator accounts
  • Reimage the infected machine(s)
  • Move clean systems to a network that is segregated from the infected network
  • Require password resets for all credentials
  • Review the log files and the Outlook mailbox rules (like auto-forward all emails) for the infected user account to stop further compromises

Review the following resources for information about defending against malware including Emotent

Michelle - Profile Photo

Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers