sb-nz logo
Story image

Emotet malware is on a rampage after months of silence

10 Sep 2020

CERT agencies around the world are reporting a surge in cyber attacks related to the Emotet malware, which is being distributed by email.

According to CERT NZ, the emails contain links and attachments that are disguised as documents such as invoices, shipping information, CVs, financial documents, or scanned documents.

“Emotet is designed to steal login credentials for email accounts configured on infected systems. The compromised credentials are subsequently passed to spam bots which send out large numbers of spam emails to further spread the malware.”

“They may steal information that’s in your mailbox, and use it to send emails from somewhere else. For example, they may use the content of an existing email conversation as a pretext to make the email look legitimate.”

The emotet malware was first discovered in 2014. It operates as a trojan that often deploys other malware like Trickbot and Qbot, both of which are also banking trojans. The trojans can then deploy payloads such as ransomware on a network.

Several cybersecurity firms, including Darktrace, noted the return of the Emotet malware after five months of silence.

In 2018 the United States CERT published an alert saying that the Emotet malware had cost local governments up to US$1 million to remediate after being infected.

ESET cybersecurity specialist Jake Moore says, “Emotet uses the classic technique of enticing targets to click on attachments that can have damaging consequences, which just reinforces the message to think before you click.”

“The simple fact is that attachment-based malware still works on organisations today and campaigns such as Emotet will continue to spread and have influxes such as this latest spike until targeted users are more cautious.” 

CERT NZ recommends that people disable macros in Microsoft Office and only run macros that are trusted or digitally signed. People should also ensure that their antivirus is up to date.

Other actions for businesses include restricting PowerShell to executing scripts that are signed, setting up web and mail filters to block known Emotet documents and command and control addresses, application whitelisting, and applying the principle of least privilege.

Individuals and businesses that have been compromised by Emotet should disconnect the infected device from all networks. They should then check for any other potentially infected devices. 

From there, people should re-image and patch their computers, change all passwords (with particular focus on local and domain admin passwords), let every contact know that they should not open attachments in emails appearing to come from the person associated with the infected device.

Users should then check their antivirus solutions, as well as mail and web filtering solutions. It is also wise to regularly back up systems.

Additional steps for businesses include enabling PowerShell command logging to detect infected computers, and applying network segmentation to minimise the effects on wider IT networks.

Story image
Is cyber deception the latest SOC 'game changer'?
Cyber deception reduces data breach costs by more than 51% and Security Operations Centre (SOC) inefficiencies by 32%, according to a new research report by Attivo Networks and Kevin Fiscus of Deceptive Defense.More
Story image
Video: 10 Minute IT Jams - The benefits of converged cloud security
Today, Techday speaks to Forcepoint senior sales engineer and solutions architect Matthew Bant, who discusses the benefits of a converged cloud security model, and the pandemic's role in complicating the security stack in organisations around the world.More
Link image
Webinar: How to navigate an increasingly crowded field of security solutions
Tools need to be organised and managed, issues need to be explored and resolved and all of this takes money and time. Find out more in this immersive webinar.More
Link image
DevOps teams struggling to achieve enterprise scale - tips for enablement
Christian Oestreich, a senior software engineering leader with experience at multiple Fortune 500 companies, shares how a metrics-driven mindset can dramatically improve software quality and enable DevOps at enterprise scale.More
Story image
Trend Micro tackles identity theft with new security suite
"The consequences of this malicious activity can have a significant impact on the lives of the victims for years to come."More
Story image
Shlayer malware proves Apple devices aren't as secure as you think
"Apple never talks about malware publicly, and loves to give the impression that its systems are secure. Unfortunately, the opposite has been proven to be the case with great regularity."More