CISA Warns of Emotet Attacks Against Government AgenciesBotnet Called 'One of the Most Prevalent Ongoing Threats'
The Cybersecurity and Infrastructure Security Agency is warning about a recent spike in Emotet botnet attacks - designed to spread other malware - that are targeting state and local government agencies.
Since July, Einstein, the Department of Homeland Security's intrusion detection system that monitors federal civilian networks, has detected approximately 16,000 alerts related to the Emotet botnet, according to CISA.
After a monthslong hiatus, the Emotet botnet returned in July with a large-scale phishing and spam campaign designed to infect vulnerable devices and spread other malware, including banking Trojans designed to steal users' credentials (see: Update: Emotet Botnet Delivering Qbot Banking Trojan).
Since that time, cybersecurity agencies in Canada, France, Japan, New Zealand, Italy and the Netherlands have all reported spikes in Emotet-related activity. These include attempts to deliver Qbot banking malware as well as TrickBot, another type of Trojan that works in conjunction with the Ryuk ransomware variant, CISA notes (see: Emotet, Ryuk, TrickBot: 'Loader-Ransomware-Banker Trifecta').
"Emotet - a sophisticated Trojan commonly functioning as a downloader or dropper of other malware - resurged in July after a dormant period that began in February," according to CISA's warning issued Tuesday. "Since August, CISA and MS-ISAC [Multi-State Information Sharing & Analysis Center] have seen a significant increase in malicious cyber actors targeting state and local governments with Emotet phishing emails. This increase has rendered Emotet one of the most prevalent ongoing threats."
CISA had previously called Emotet one of the most dangerous malware variants that it tracks (see: Emotet Malware Alert Sounded by US Cybersecurity Agency).
A Long History
Emotet first appeared as a banking Trojan in 2014. Over the years, its operators, which security firm Proofpoint identified as a group known as TA542, have adjusted the code. The malware now primarily works as a botnet and "dropper" delivering Trojans and other malicious code to infected devices, according to security researchers.
Emotet typically spreads through phishing emails or spam that contain malicious Microsoft Word attachments or URL links. Once clicked, the payload is launched and the malware then attempts to proliferate within a network by brute-forcing user credentials and writing itself to shared drives, CISA and security researchers note.
"Emotet is difficult to combat because of its 'worm-like' features that enable networkwide infections," according to CISA. "Emotet uses modular Dynamic Link Libraries to continuously evolve and update its capabilities."
The CISA alert also notes that, since September, the operators behind Emotet have changed some of their tactics to better deliver the malicious payload to vulnerable devices. For instance, Microsoft notes that spam and phishing emails now come with zip files that are designed to bypass security filters and get victims to click.
"These email messages purport to deliver documents created on mobile devices to lure targeted users into enabling macros to 'view' the documents - an action which actually enables the delivery of malware," CISA notes.
Palo Alto Networks' Unit 42 also noted that malicious messages containing the Emotet malware are now appearing in email threads that threat operators have hijacked. This is designed to confuse victims and get them to click on a link or open an attachment that appears to come from a familiar source, according to CISA.
Earlier this month, Proofpoint security researchers spotted Emotet spoofing messages from the Democratic National Committee in an effort to get victims to click on an attached document that contains the malware (see: Fresh Wave of Phishing Emails Use Election as a Lure).
Over the years, security researchers have noticed that Emotet has repeatedly re-emerged after periods of inactivity. Emotet came back to life in September 2019 and continued to send out malicious spam and phishing emails until it went quiet again in February before kicking back into gear in July (see: Researchers: Emotet Botnet Is Active Again).
To mitigate the risks posed by Emotet, CISA recommends basic security steps, including:
- Block email attachments commonly associated with malware, such as DLL and EXE;
- Block email attachments, such as zip files, that cannot be scanned by antivirus software;
- Implement filters at the email gateway, and block suspicious IP addresses at the firewall;
- Implement the Domain-Based Message Authentication, Reporting and Conformance, or DMARC, validation system for emails;
- Enforce multifactor authentication.