U.S. Cybersecurity and Infrastructure Security Agency (CISA) Issues Warning Regarding Emotet Malware

I find malware to be extremely fascinating. When I see a new strain I want to learn more about it. Perhaps my love of malicious code is one of the reasons I was so drawn to cyber security in the first place. The way the code changes, the motives of the creators, the different attack vectors….they all grab at my attention. One particularly interesting thing about malware is how a variant will seemingly start to fade away only to come back stronger than ever. We can certainly say this was the case with the Emotet malware.

Emotet was first discovered back in 2014. (Side note, can you believe 2014 was 6 years ago already! Oh, how time flies.) At first, Emotet was seemingly run-of-the-mill and simplistic banking trojan. Unfortunately for it’s victims, Emotet didn’t stay simple for long. Like a fine wine, Emotet got better with age. (And by better, I of course mean better at wreaking havoc on unsuspecting computer users.) Emotet changed into a far more advanced variant of itself prompting The U.S. Department of Homeland Security to state that Emotet was “among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.”

Security giant Fortinet stated that Emotet had “not only evolved into a botnet but also added modularity, such as the ability to deliver malware using worm-like capabilities. ” Worms, eh? We don’t like worms. (Unless they’re gummy worms!)

You know what’s not cozy? Having an emotet worm make it’s way through your network. Very many not cozy vibes happening there.

So how does this not-so-cozy malware variant end up in your network anyway? Mostly through phishing attacks – shocker. According to research conducted by Trend Micro,  91% of cyberattacks resulting in a data breach begin with a spear phishing email, so none of us should be surprised by this.

In addition, a new malspam campain (malSpam is the term used to designate malware that is delivered via email messages) attackers are leveraging fear of the Coronavirus to help spread the Emotet malware. Chinese citizens began receiving emails disguised as official government notices regarding Coronavirus. However, the emails prompted users to download attachments which contained the Emotet malware. As far as I know, there haven’t been any reports of this malspam campaign in the U.S. but if history tells us anything it’s that we should expect to see it soon.

The best way to protect against Emotet, (or any malware spread through phishing attacks) is to be cognizant of how to spot fake emails. If you receive an email that doesn’t feel right, it’s best to not open the attachments. Look at the sender and ensure that the message as truly sent from who it claims to be sent from.

CyberReason recommends the following tips for preventing an Emotet outbreak within your organization:

  1. Disable macros in your organization’s group policy or caution users not to enable macros.
  2. Block executable files from being run from temporary folders in your organization’s group policy.
  3. Change email accounts’ password and login credential for all infected users. Give users best practices and tips to avoid falling for future phishing emails.

In addition to these helpful tips, Cyberreason has also released a free tool available on GitHub. The tool is called Emotet-blocker and works by “grabbing the mutex that emotet 1st stage binary gains in advance and prevents further activities by it which reduces the chance of an attack on Windows devices.” The creators have added that this is to help prevent a specific variant of Emotet, but if the developers make changes to Emotet it may be rendered ineffective.

If you are interested in downloading Emotet-blocker, you can find the download link over on my Open Source Tools page under the heading “Miscellaneous”.

One thought on “U.S. Cybersecurity and Infrastructure Security Agency (CISA) Issues Warning Regarding Emotet Malware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s