A dramatic uptick in Emotet phishing attacks since July has led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue a warning that state and local governments need to fortify their systems against the trojan.
“This increase has rendered Emotet one of the most prevalent ongoing threats,” the CISA alert, issued Tuesday, read.
The alarm comes at a time when municipalities are already strained, juggling the concurrent crises of the COVID-19 pandemic, widespread social unrest and a caustic election season. Emotet, which can load other malware and self-propagate, is the last thing they need.
“Emotet is one of the reasons why you should never click on links in emails you don’t recognize,” Bryan Becker, product manager at WhiteHat Security, told Threatpost. “Among other things, Emotet turns your computer into a ‘bot’ or ‘zombie’ that can be controlled by the hacker group to perform other crimes — without your OS or anti-malware noticing – one of which is sending more spam emails infecting more people with Emotet.”
Since July, CISA’s executive branch security protection tool, the EINSTEIN Intrusion Detection System, has found more than 16,000 instances of Emotet activity. These attacks are being executed in phases, indicating “possible targeted campaigns,” according to CISA, using tainted .doc Word files to deliver the malware.
CISA also said that Emotet-related domains and IPs seemed to be the most common on ports 80, 8080 and 443.
“In one instance, traffic from an Emotet-related IP attempted to connect to a suspected compromised site over port 445, possibly indicating the use of Server Message Block [SMB] exploitation frameworks along with Emotet,” the CISA report added.
That attack-volume data tracks with what’s being observed across the rest of the world. According to Check Point, the Emotet trojan tops its index of the most potent threats in circulation for the third consecutive month: It impacted 14 percent of organizations globally, followed by Trickbot at 4 percent and Dridex at 3 percent.
CISA Tracks the Threat
Starting last February, CISA said cybercriminals were targeting foreign countries using COVID-19 phishing emails to deliver malware. By July, researchers saw those emails and Emotet URLs being targeted against U.S. business, once again using COVID-19 communications for cover.
In August, CISA saw a 1,000-percent spike in Emotet loader downloads, and the attacks started to include state and local governments. By September, Canada, France, Japan, New Zealand, Italy and the Netherlands had seen breaches by Emotet, which then dropped Trickbot to deliver ransomware, and Qakbot trojans to steal banking information and other sensitive data.
Researchers also have noticed that Emotet has picked up a couple of new tricks over the course of the year. First, Emotet’s attachments started to include password-protected archive files to bypass email security gateways. Soon after, Palo Alto Networks reported to CISA that researchers are now seeing instances of “thread jacking” — that is, intercepting an existing email chain via an infected host and simply replying with an attachment to deliver the malware to an unsuspecting recipient.
And the threat isn’t limited to desktop computers. Steve Banda, senior manager of security solutions at Lookout, told Threatpost Emotet has gone mobile this year.
“While the Emotet is an advanced trojan primarily seen to affect desktops, our data shows mobile users encountering phishing attacks at a rate of over 30 percent on their personal devices,” Banda said. “It’s become more evident through our threat research that adversaries are extending their attacks to mobile. In many cases, desktop and mobile malware will have connections to the same command-and-control infrastructure. Cybercriminals are taking full advantage of this expanded attack surface.”
Local municipalities, from tribal and territorial governments to state authorities, as well as private businesses, are being encouraged by CISA to review existing security protocols and make necessary updates to prepare for the next Emotet phishing attempt.
Emotet, an Evolving Threat
Emotet was first detected in 2014 as a threat targeted at banks. But it has continued to evolve into something much more widespread and sophisticated, with the ability to deliver a range of secondary malware to compromised systems. In late 2019 it re-emerged with new social-engineering tools and the novel ability to customize phishing emails with messages tied to recent holidays, headlines and happenings. This version of Emotet also added an export function.
In February, the trojan got a code makeover and gained the ability to spread over Wi-Fi Networks.
But later that same month, researcher James Quinn with Binary Defense won a brief victory over Emotet, when he was able to exploit a vulnerability and develop a killswitch, shutting the malware down until early August, Threatpost reported. There’s also an anonymous vigilante combating Emotet by replacing payloads with memes and GIFs.
Despite those, and other, efforts, Emotet continues to proliferate. In fact, earlier in October it was spotted hitting hundreds of U.S. organizations with emails purporting to come from the Democratic National Committee, in a new politically charged spear-phishing attack.
“It’s mature, having been around in various forms since 2014, but it is always mutating and continues to evade detection by antivirus (AV),” Mark Kedgley, CTO at New Net Technologies, told Threatpost. “It has strong downloader capabilities, so it’s a carrier or conduit for other hacking tools and malware, such as credential-theft or ransomware. And it has worm capabilities too, designed to spread the malware laterally within a network once it has breached defenses, usually via phishing.”
The key for local governments trying to protect their systems, Kedgley said, is to understand the nature of the threat.
“Because of the polymorphic nature of Emotet, AV and other signature-based detection technologies will not be effective,” he said. “Therefore, the best action is to harden the infrastructure and reduce functionality used to infect systems, and also to leverage breach-detection capabilities…which will place a trojan like this right in the cross-hairs.”
CISA also offered mitigation best practices like blocking email attachments associated with malware, blocking attachments which can’t be scanned by antivirus software, using multifactor authentication and restricting browser access to risky sites.
On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.