DHS CISA Warns of Resurgence of Emotet Trojan Malware Cyberattacks

October 06, 2020 - The Department of Homeland Security Cybersecurity and Infrastructure Security Agency released an alert for all sectors, warning of a resurgence in sophisticated cyberattacks leveraging the notorious Emotet trojan malware variant. 

Drafted in partnership with the Multi-State Information Sharing and Analysis Center (MS-ISAC), CISA warns the sophisticated trojan resumed targeted attacks beginning in July. At that time, Proofpoint and Malwarebytes warned Emotet hackers resurfaced after a five-month hiatus with a massive phishing campaign. The threat had not been observed since February. 

Emotet is an advanced trojan that typically functions as a downloader of other malware and is spread through malicious phishing email attachments. Once a user clicks the link, the Emotet payload is launched. 

What’s concerning is that the variant will attempt to proliferate across the network by brute forcing user credentials and writing the malware to shared drives. The worm-like nature makes the variant difficult to defend against, as Emotet enables network-wide infections. 

Further, using Dynamic Link Libraries, the trojan is continuously evolving and updating its capabilities. 

READ MORE: DHS CISA Alerts to Rise in Credential Theft-Focused LokiBot Malware

Since August, CISA and MS-ISAC observed a significant uptick in Emotet cyberattacks targeting both state and local governments with phishing campaigns. Researchers have also detected an increase in Emotet-associated indicators. In total, CISA detected about 16,000 alerts tied to Emotet on federal, civilian executive branch networks. 

“CISA observed Emotet being executed in phases during possible targeted campaigns,” officials explained. “Possible command and control network traffic involved HTTPPOST requests to Uniform Resource Identifiers consisting of nonsensical random length alphabetical directories to known Emotet-related domains or IPs with the following user agent string.”  

"Traffic to known Emotet-related domains or IPs occurred most commonly over ports 80, 8080, and 443,” they continued. “In one instance, traffic from an Emotet-related IP attempted to connect to a suspected compromised site over port 445, possibly indicating the use of Server Message Block exploitation frameworks along with Emotet.” 

Since August, there’s been a 1,000 percent increase in Emotet loader downloads. However, CISA explained that “antivirus software firms adjusted their detection heuristics to compensate, leading to decreases in observed loader downloads.” 

What’s more, researchers have detected minimal changes to the malware’s tactics and tools used in previous attacks. The significant changes included pairing Emotet with the delivery of Qbot as the primary payload and the module for Emotet mail sending is now able to deliver benign and malicious attachments. 

READ MORE: COVID-19 PPE Phishing Campaign Delivers Agent Tesla RAT Malware

The increase in attacks include compromises in Canada, France, Japan, New Zealand, Italy, and the Netherlands. Researchers also detected Emotet attacks that also dropped Trickbot to deliver ransomware payloads onto some victim networks, as well as Qakbot trojans to steal banking credentials and other sensitive data. 

“Microsoft identified a pivot in tactics from the Emotet campaign. The new tactics include attaching password-protected archive files (e.g., Zip files) to emails to bypass email security gateways,” officials wrote. “These email messages purport to deliver documents created on mobile devices to lure targeted users into enabling macros to “view” the documents—an action which actually enables the delivery of malware.” 

“Palo Alto Networks reported cyber actors using thread hijacking to spread Emotet. This attack technique involves stealing an existing email chain from an infected host to reply to the chain—using a spoofed identity—and attaching a malicious document to trick recipients into opening the file,” they added. 

CISA and MS-ISAC officials are urging both government agencies and private sector organizations to apply recommended mitigation techniques to strengthen their cybersecurity posture. Those recommendations included blocking email attachments commonly tied to malware, such as .dll and .exe, as well as email attachments that can’t be scanned by antivirus software. 

Administrators should implement group policy object and firewall rules, along with an antivirus program and a formalized patch management process. Filters must be implemented at the email gateway, which should include blocking suspicious IP addresses at the firewall. 

As recommended in previous alerts, organizations should employ the principle of least privilege, segment and segregate networks and functions, limit unnecessary lateral communications, and disable file and printer sharing services. If required, those endpoints should employ strong passwords or Active DIrectory authentication. And again, multi-factor authentication should always be enforced.