Access Management , Cybercrime , Fraud Management & Cybercrime

CISA Warns of Emotet Attacks Against Government Agencies

Botnet Called 'One of the Most Prevalent Ongoing Threats'
CISA Warns of Emotet Attacks Against Government Agencies

The Cybersecurity and Infrastructure Security Agency is warning about a recent spike in Emotet botnet attacks - designed to spread other malware - that are targeting state and local government agencies.

See Also: Live Webinar | Taking the Challenges Out of Identity Security

Since July, Einstein, the Department of Homeland Security's intrusion detection system that monitors federal civilian networks, has detected approximately 16,000 alerts related to the Emotet botnet, according to CISA.

After a monthslong hiatus, the Emotet botnet returned in July with a large-scale phishing and spam campaign designed to infect vulnerable devices and spread other malware, including banking Trojans designed to steal users' credentials (see: Update: Emotet Botnet Delivering Qbot Banking Trojan).

Since that time, cybersecurity agencies in Canada, France, Japan, New Zealand, Italy and the Netherlands have all reported spikes in Emotet-related activity. These include attempts to deliver Qbot banking malware as well as TrickBot, another type of Trojan that works in conjunction with the Ryuk ransomware variant, CISA notes (see: Emotet, Ryuk, TrickBot: 'Loader-Ransomware-Banker Trifecta').

"Emotet - a sophisticated Trojan commonly functioning as a downloader or dropper of other malware - resurged in July after a dormant period that began in February," according to CISA's warning issued Tuesday. "Since August, CISA and MS-ISAC [Multi-State Information Sharing & Analysis Center] have seen a significant increase in malicious cyber actors targeting state and local governments with Emotet phishing emails. This increase has rendered Emotet one of the most prevalent ongoing threats."

CISA had previously called Emotet one of the most dangerous malware variants that it tracks (see: Emotet Malware Alert Sounded by US Cybersecurity Agency).

A Long History

Emotet first appeared as a banking Trojan in 2014. Over the years, its operators, which security firm Proofpoint identified as a group known as TA542, have adjusted the code. The malware now primarily works as a botnet and "dropper" delivering Trojans and other malicious code to infected devices, according to security researchers.

Emotet typically spreads through phishing emails or spam that contain malicious Microsoft Word attachments or URL links. Once clicked, the payload is launched and the malware then attempts to proliferate within a network by brute-forcing user credentials and writing itself to shared drives, CISA and security researchers note.

"Emotet is difficult to combat because of its 'worm-like' features that enable networkwide infections," according to CISA. "Emotet uses modular Dynamic Link Libraries to continuously evolve and update its capabilities."

The CISA alert also notes that, since September, the operators behind Emotet have changed some of their tactics to better deliver the malicious payload to vulnerable devices. For instance, Microsoft notes that spam and phishing emails now come with zip files that are designed to bypass security filters and get victims to click.

"These email messages purport to deliver documents created on mobile devices to lure targeted users into enabling macros to 'view' the documents - an action which actually enables the delivery of malware," CISA notes.

Palo Alto Networks' Unit 42 also noted that malicious messages containing the Emotet malware are now appearing in email threads that threat operators have hijacked. This is designed to confuse victims and get them to click on a link or open an attachment that appears to come from a familiar source, according to CISA.

Earlier this month, Proofpoint security researchers spotted Emotet spoofing messages from the Democratic National Committee in an effort to get victims to click on an attached document that contains the malware (see: Fresh Wave of Phishing Emails Use Election as a Lure).

Over the years, security researchers have noticed that Emotet has repeatedly re-emerged after periods of inactivity. Emotet came back to life in September 2019 and continued to send out malicious spam and phishing emails until it went quiet again in February before kicking back into gear in July (see: Researchers: Emotet Botnet Is Active Again).

Risk Mitigation

To mitigate the risks posed by Emotet, CISA recommends basic security steps, including:

  • Block email attachments commonly associated with malware, such as DLL and EXE;
  • Block email attachments, such as zip files, that cannot be scanned by antivirus software;
  • Implement filters at the email gateway, and block suspicious IP addresses at the firewall;
  • Implement the Domain-Based Message Authentication, Reporting and Conformance, or DMARC, validation system for emails;
  • Enforce multifactor authentication.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.