The US Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) issued an advisory against the rampant attacks of notorious trojan horse Emotet on Tuesday. The agencies connoted that they had observed more than 16,000 Emotet attacks since July 2020, using the Einstein cybersecurity system.
The advisory issued by the federal agencies entails Emotet to be “one of the most prevalent ongoing threats”, owing to its continuous attacks against state and local government offices. The report says “Since July 2020, CISA has seen increased activity involving Emotet-associated indicators. During that time, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected roughly 16,000 alerts related to Emotet activity”.
Evolution of Emotet malware
Emotet malware was discovered in 2014 as a Trojan horse which was used for small time financial scams. However, it has now mutated into a larger workforce which carries much more sophisticated malware. Most recently, Emotet has helped TrickBot, a banking trojan, and Ryuk ransomware to execute large cyberattacks against numerous prominent organizations.
Emotet’s ability to morph into different structures makes it the most dangerous malware. It also has the potential to spread to nearby Wi-Fi networks, and generally travels through spam and phishing emails.
The malware went through a dormant period from February to July, after which it suddenly emerged to the surface again. Since then, Emotet has been orchestrating several high-key phishing campaigns globally. The CISA advisory states “Since August, CISA and MS-ISAC have seen a significant increase in malicious cyber actors targeting state and local governments with Emotet phishing emails”.
The trojan uses MITRE ATT&CK techniques like “OS Credential Dumping: LSASS Memory”, “Exfiltration Over C2 Channel”, and “Account Discovery: Email Account”.
The CISA suggests users to block the downloads of email attachments with the extensions “.exe”, “.dll”, and “.zip”. These are the most common extensions associated with Emotet, and may even bypass personal antivirus security measures.
The governments of New Zealand, France, and Japan have all issued advisories against Emotet in the last month.