Malicious Phishing Campaign Delivering Emotet Banking Trojan

The NJCCIC has detected a recent uptick in malicious phishing emails attempting to deliver theEmotet banking trojan to state government email addresses. At first glance, these emails appear to be sent from an email address within the same agency as the recipient. However, upon closer inspection, the emails originate from various German domains. The subject lines vary and include words such as “Invoice,” “Overdue Account,” “Purchase Order,” and “Statement,” to convince the recipient that the email is of a financially urgent nature. The body of the email attempts to lure recipients into clicking the embedded malicious link in order to view a supposed invoice or payment details. If clicked, the recipient is sent to a website hosting a Microsoft Word document containing malicious macros. If the macros are enabled, the Emotet banking trojan will download and install on the recipient’s system. Emotet will then download additional malware designed to steal data and spread across networks. According to Proofpoint, Emotet was observed loading DridexQbot, and Gootkit onto infected systems. Since this campaign has initially managed to bypass some email security filters, the NJCCIC strongly recommends educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails. Additionally, if end users have received and taken action on these emails, isolate the affected systems from the network and perform a full system scan using a reputable anti-malware solution. Proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.