Malware known as Emotet has emerged as "one of the most widespread threats" as it increasingly targets state and local governments and infects them with other malware, the Department of Homeland Security's cybersecurity division said Tuesday.
Emotet was first identified in 2014 as a relatively simple trojan for stealing bank account information. Within a year or two, it had reinvented itself as a formidable downloader or dropper, installing other malware after infecting a PC. The Trickbot banking Trojan and Ryuk ransomware are two of the most common successors. Over the past month, Emotet has successfully dug its way into the Quebec Justice Department, stepping up attacks on governments in France, Japan and New Zealand. It has also targeted the National Democratic Committee.
Not to mention, according to CISA, short for Cybersecurity and Infrastructure Security Agency, U.S. states and local governments also receive unwanted attention. Einstein – the agency's intrusion detection system for collecting, analyzing and sharing security information between civil departments and federal agencies – has also seen a sharp surge in recent weeks. In a report issued on Tuesday, officials wrote:
Since July 2020, CISA has seen increased activity with Emotet-associated indicators. During this time, CISA's EINSTEIN intrusion detection system, which protects the networks of the federal civil executive, has detected around 16,000 alerts related to Emotet activities. CISA observed how Emotet ran phased during possible targeted campaigns. Emotet used compromised Word documents (.doc) attached to phishing emails as their first insert vectors. Possible command and control network traffic included HTTP POST requests to Uniform Resource Identifiers, which consist of nonsensical alphabetical directories of random length to known Emotet-related domains or IPs with the following user agent string (Application Layer Protocol: Web Protocols (T1071.001)) .
Emotet's success is the result of a variety of tricks, some of which include:
- The ability to spread to nearby Wi-Fi networks
- A polymorphic design, that is, it is constantly changing its identifiable properties, making it difficult to identify as malicious
- File-free infections, such as B. Powershell scripts, which also complicate the detection of secondary infections
- Worm-like features that steal administrator passwords and use them to spread across the network
- "Email thread hijacking" means that chains of emails are stolen from an infected computer and a fake identity is used to trick other people on the thread into opening a malicious file or clicking a malicious link click.
Below is a diagram that shows some of the techniques Emotet uses.
In February Emotet suddenly went dark for no clear reason. Then in July it returned just as quickly.
Emotet attackers have since spread malicious spam. Security company Intezer is also seeing a sharp increase, according to a separate blog post published on Tuesday. 40 percent of the samples analyzed by corporate customers and community users are classified as Emotet.
"In a world where everything is seemingly unpredictable, we can apparently rely on Emotet to keep us busy," wrote Intezer researchers. "That shouldn't prevent us from being more strategic in how we adapt our approach to help identify this threat."