Malicious Email Campaign Delivering Emotet Banking Trojan

On Wednesday, July 26, the NJCCIC detected a large phishing campaign attempting to deliver malicious emails to New Jersey state employees. These emails masquerade as correspondence from mobile phone carriers and attempt to lure recipients into clicking an embedded link. If clicked, a document containing the Emotet banking trojan begins to download onto the recipient’s system. The observed emails originate from various senders and IP addresses and include the following subject lines: Your Virgin Media bill is ready, AT&T Bill Message, AT&T Automatic Billing Message, AT&T Monthly Statement, and AT&T Customer. More information about this campaign and additional indicators of compromise can be found on the SANS ISC website. 

As this campaign has initially managed to bypass email security filters, the NJCCIC strongly recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, be sure to run updated antivirus software on the system to detect and remove Emotet infections and have them proactively change their passwords to any account accessed on the infected system.