U.N. Weathers Storm of Emotet-TrickBot Malware

united nations cyberattack

A concerted, targeted phishing campaign took aim at 600 different staffers and officials, using Norway as a lure.

The operators behind the notorious Emotet malware have taken aim at United Nations personnel in a targeted attack ultimately bent on delivering the TrickBot trojan.

According to researchers at Confense, a concerted phishing campaign has been using emails purporting to be from the Permanent Mission of Norway, which maintains the Scandinavian country’s diplomatic presence in New York. The emails were sent to 600 staffers and officials across the U.N., claiming that there was a problem with a supposed “signed agreement” attached to the mails. The endgame however was to steal login credentials.

According to a report confirmed by Threatpost with Cofense, if a victim opened the document, a pop-up warning appeared saying, “document only available for desktop or laptop versions of Microsoft Office Word.” Users were then prompted to click a button to “enable content,” which, if clicked, actually enabled malicious Word macros. In turn, these downloaded and installed Emotet, which would then run in the background.

Emotet started life as a banking trojan in 2014 and has continually evolved to become a full-service threat-delivery mechanism. It can install a collection of malware on victim machines, including information stealers, email harvesters, self-propagation mechanisms and ransomware. In the case of the U.N. attacks, Emotet was seen attempting to send out spam emails to additional victims and download second-stage malicious payloads, including the TrickBot trojan, which can harvest various passwords and credentials from infected machines.

According to eSentire’s Annual Threat Intelligence Report, released this week, Emotet accounted for almost a fifth (20 percent) of confirmed malware incidents in 2019, making it the most-observed threat in eSentire’s telemetry both on networks and on endpoints – despite a midyear hiatus when the malware’s command-and-control servers (C2s) were dormant. Emotet was recently also spotted in a phishing campaign that used Swedish activist Greta Thunberg’s nomination as Time’s Person of the Year as a lure.

“The latest cyberattack against users affiliated with the United Nations demonstrates how a convincing phishing email can be an extremely effective attack vector – especially among high value/high ranking targets, in this case UN delegates instead of corporate executives,” Alexander García-Tobar, CEO and co-founder at Valimail, said in an email. “Because these attacks differ from the normal Emotet spam campaigns (usually they are fake accounting reports, delivery notices and invoices), we know that the bad actors are specifically tailoring their approach based on other knowledge or data they’ve acquired. This is an extremely common tactic in today’s threat landscape, and cybercriminals are leveraging swaths of information to launch highly convincing impersonation-based attacks.”

When it comes to the second-stage payload of the attacks, TrickBot was developed in 2016 as a banking malware; but since then, it has developed into an all-purpose, module-based crimeware solution. It was recently spotted using a new custom backdoor called PowerTrick. It has also been linked to the Ryuk ransomware, though so far there has been no evidence that Ryuk has entered the U.N.’s networks.

That doesn’t however mean that any victims (Cofense didn’t clarify how many infections resulted from the attacks) are out of the woods.

“Anecdotally, we have found several cases of surprisingly large organizations with valuable data and critical infrastructure with little more than an antivirus program running on their endpoints prior to our engagement,” said Keegan Keplinger, research lead at eSentire, in a statement. “Even complete network coverage can miss something as straightforward as an attacker returning to an organization with successfully phished credentials. These organizations appear to underestimate the sophistication of modern cybercriminals, as well as the value the data holds to them.”

Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.

Suggested articles