Emotet Campaigns Persist, Utilize Updated Tactics and Techniques
Over the past year, the Emotet trojan has been a prevalent cyber threat across New Jersey. The NJCCIC has received numerous reports regarding Emotet infections, often impacting the operations of affected organizations for weeks at a time, and emails containing the Emotet trojan continue to represent the largest volume of messages blocked due to the detection of malicious attachments and links. In recent weeks, Emotet evolved to bypass many of the security controls recommended to defend against this threat, including DMARC (Domain-based Message Authentication, Reporting & Conformance), which is built on top of SPF (Sender Policy Framework) and DKIM (Domainkeys Identified Mail). Additionally, a newly added module now provides the capability to steal victims’ emails going back six months. While Emotet’s capabilities have evolved, emails related to this campaign continue to deliver messages with a payment theme and contain either an attachment or embedded URL that references some form of invoice. The NJCCIC strongly encourages educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails, including those from known senders. If an Emotet infection is strongly suspected but your anti-virus solution cannot detect or remove it, consider reimaging the affected system’s hard drive. Also, proactively monitor and change passwords to any financial, personal, and business accounts, as well as administrative and domain controller accounts accessed on infected systems, and enable multi-factor authentication where available.