Emotet Alert: Increase in Active Malicious Email Campaigns

Overview
Over the past several weeks and continuing through today, there has been a marked increase in the number of phishing messages containing malicious links and attachments targeting individuals in all sectors. Many of these messages contain payment-themed subject lines and appear to the recipient to have been sent by trusted contacts, including government organizations, businesses, and academic institutions. Through analysis of their payloads, the NJCCIC has determined that these messages are related to Emotet malware campaigns and pose a significant threat to our members’ systems, networks, and personal information.

Threat
Emotet was originally categorized as a banking trojan used to steal financial account details by intercepting network traffic. Since its discovery in 2014, Emotet has continuously evolved to avoid detection and is currently being distributed via spam emails containing malicious attachments or embedded links. In the first half of 2018, Emotet variants have replaced ransomware as the most prevalent email-delivered malware threat.

These emails often reference a nondescript invoice or overdue payment in the subject and body, and contain a URL link or attachment that leads to a Microsoft Word document hosted on a remote server. If recipients open the document and enable the macros, Emotet will install onto their system. Emails may appear to come from an individual within the recipient’s own organization or a trusted associate. Recent subject lines associated with this campaign include “Southwire,” “Inv. [random digits],” and “HRI Monthly Invoice.”

Although organizations may implement the latest mail filtering technologies to detect and block malicious emails from entering their environments, according to the security vendor Bromium, Emotet is only detected by the leading anti-virus products 43 percent of the time. As such, end users are advised to be aware of these email threats and to be cautious when opening emails, especially those that were not expected and contain links or attachments.

For more information on the Emotet trojan, please refer to the following open-source resources:

Recommendations
The NJCCIC recommends users and administrators be mindful of this cyber threat and report suspicious emails to your IT help desk or information security officer immediately. We also strongly recommend never clicking on links or opening attachments delivered with unexpected or unsolicited emails.

If you have opened the attachments contained in the emails or downloaded and opened documents from the links included in the message, notify your IT help desk and isolate the affected system(s) from the network.  It is recommended that a full system scan be run using a reputable anti-virus/anti-malware solution. If an Emotet infection is strongly suspected but your anti-virus solution cannot detect or remove it, consider reimaging the affected system’s hard drive. Also, proactively monitor and change passwords to your financial, personal, and business accounts.

Additional Precautions:

  • Stay informed of current and emerging threats by subscribing to the NJCCIC and other threat intelligence organizations such as the MS-ISAC and the US-CERT.
  • Implement a defense-in-depth security strategy to include technical, administrative, and physical controls.
  • Implement the principle of least privilege to limit the chance of an attacker gaining administrative access.
  • Ensure the use of strong and unique passwords and implement multi-factor authentication as feasible.
  • Disable macros from running within Microsoft Office documents.
  • Implement software restriction policies (SRP) that allow only authorized applications to run and prevent the execution of files from temporary directories.
  • Ensure that anti-virus/anti-malware software is active, updated, and scans all newly received or downloaded files.
  • Segregate networks and business functions to restrict the spread of an infection to other systems.
  • Users are encouraged to review the NJCCIC Be Sure to Secure post “Mitigating the Risk of Malware Infections” and apply the recommended security measures to defend against malware infections.

Reporting

The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form at www.cyber.nj.gov/report.

Please do not hesitate to contact the NJCCIC at njccic@cyber.nj.gov with any questions.