The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about Emotet malware following an increase in successful attacks on state and local governments in the United States since August 2020.
Emotet is distributed via phishing emails sent by the Emotet botnet – a network of computers that have been infected with Emotet malware. The botnet often conducts spam runs involving more than 500,000 emails. The emails contain malicious email attachments that use scripts to download the malicious payload or hyperlinks that direct users to malicious websites where the Emotet Trojan is downloaded.
Emotet is a sophisticated Trojan which acts as a downloader of other malware variants, including Qbot and the TrickBot Trojan. Those secondary malware variants download additional malicious payloads such as Conti and Ryuk ransomware.
Once installed on a device, Emotet attempts to spread to other devices on the network by brute forcing credentials, writing to shared drives, and hijacking email accounts and sending copies of itself to the user’s email contact list. Since the malware has worm-like properties eliminating Emotet can be difficult. Devices may be cleaned but can easily be re-infected.
Emotet is known for having periods of high activity followed by periods of dormancy. The last dormant period started in February 2020, with activity restarting in July 2020. Even with the extended dormant periods, Emotet remains one of the most serious and prevalent malware threats with more than 10 times the number of infections as the second most commonly detected malware, the Njrat Remote Access Trojan.
Since July 2020, CISA’s EINSTEIN Intrusion Detection System has detected around 16,000 alerts in relation to Emotet activity with the malware spread in targeted campaigns. In August, researchers identified a 1,000% increase in downloads of the Emotet loader. Initially, Emotet primarily downloaded the TrickBot Trojan before switching to Qbot malware.
Defending against Emotet largely involves following cybersecurity best practices to strengthen an organization’s security posture. The recommendations made by CISA include blocking suspicious email attachments that are commonly used to install malware (.scr, .exe. dll), configuring email gateways to block attachments that cannot be scanned by antivirus software (password-protected files), scanning email attachments and ensuring the attachment matches the true file type, establishing a formal patch management process, implementing DMARC and multi-factor authentication, disabling files and printer sharing services if possible, monitoring web browsing habits and blocking access to certain types of websites, using a firewall on all workstations and denying unsolicited connection requests, segmenting and segregating networks, and adhering to the principle of least privilege.