CISA Announces: "Emotet Malware Activity are Increasing"

The U.S. Cybersecurity and Infrastructure Security Agency on Wednesday warned that it's seen a surge in targeted attacks using a sophisticated strain of malware called Emotet. It is a banking Trojan that started out stealing information from individuals, like credit card details. It has been around since 2014 and has evolved tremendously over the years, becoming major threat that infiltrates corporate networks and spreads other strains of malware. including Trickbot and various strains of ransomware.

One of the main additional functionalities is the possibility of using the method: (dropper - aka downloader - so that it can be used to install additional malicious code on endpoints it's infected, as well as giving it the ability to scrape victims' PCs for contact information. In addition, other attackers have increasingly rented Emotet botnets to install other malware.

For example, one Emotet module gives attackers the ability to grab the first 8 KB of every email in a victim's email inbox and send it back to the botnet's command-and-control server, according to security firm Secureworks. Attackers then use the stolen data to craft socially engineered spam. "Emotet's reuse of stolen email content is extremely effective," according to security firm Cisco Talos.

"The Cybersecurity and Infrastructure Security Agency is aware of a recent increase in targeted Emotet malware attacks," its Emotet alert reads. "Emotet is a sophisticated Trojan that commonly functions as a downloader or dropper of other malware. Emotet primarily spreads via malicious email attachments and attempts to proliferate within a network by brute-forcing user credentials and writing to shared drives. If successful, an attacker could use an Emotet infection to obtain sensitive information. Such an attack could result in proprietary information and financial loss as well as disruption to operations and harm to reputation." "Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial governments, and the private and public sectors," Emotet infections have cost SLTT governments up to $1 million per incident to remediate."

8 Essential Defenses

As a first step for guarding against Emotet, CISA recommends all organizations put in place these defenses:
Secure: Use anti-virus software and have a formal patch management program in place;
Block: Block email attachments commonly associated with malware (such as .dll and .exe files) and any attachments that cannot be scanned by anti-virus software (such as .zip files);
Manage: Implement Active Directory Group Policy Object and firewall rules;
Filter: Implement filters at the email gateway, and block suspicious IP addresses at the firewall;
Restrict: "Adhere to the principle of least privilege," CISA says, adding that "it is essential that privileged accounts are not used to log in to compromised systems during remediation as this may accelerate the spread of the malware";
Authenticate: Implement DMARC, an email validation system designed to protect organizations from spoofing;
Segment: Segment and segregate networks and functions;
Restrict: Block unnecessary, lateral communications in networks.