The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning over a huge surge in activity by the gang behind the Emotet trojan.
Historically, the Emotet spam botnet has been linked to the distribution of banking trojans, but these days it spews malware-laden spam and then sells access to infected computers to any criminal group, including ransomware operators.
Microsoft, Italy, and the Netherlands last month warned of a spike in Emotet malicious spam activity, which came a few weeks after France, Japan and New Zealand issued their alerts over Emotet.
Emotet was quiet after February but came back with a vengeance in July. CISA describes Emotet as a “sophisticated trojan commonly functioning as a downloader or dropper of other malware” and “one of the most prevalent ongoing threats”.
CISA’s assessment is understandable given that Emotet is considered to be currently the world’s largest malware botnet.
Since August, CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC) have observed attackers targeting state and local governments with Emotet phishing emails.
Emotet spreads with worm-like features via phishing email attachments or links that load a phishing attachment. After being opened, Emotet works to spread throughout a network by guessing admin credentials and using them to remotely write to shared drives using the SMB file-sharing protocol, which gives the attacker the ability to move laterally through a network.
CISA says since July its Einstein in-house intrusion-detection system for federal and civilian executive branch networks has detected about 16,000 alerts related to Emotet activity.
Microsoft in September noticed Emotet was also using password-protected email ZIP attachments instead of Office documents to bypass email security gateways.
The European Emotet warnings came after researchers saw the botnet dropping Trickbot to deliver ransomware and Qakbot Trojan to steal banking credentials.
Another crafty ploy currently in use by Emotet is hijacking email threads. The Emotet group grabs an existing email chain from an infected host and answers the thread with an additional malicious document attached.