Emotet, the Threat that Keeps on Giving

Throughout 2018, and now into 2019, the Emotet trojan has been a prevalent cyber threat across New Jersey. The NJCCIC has received numerous reports regarding Emotet infections, often impacting the operations of affected organizations for weeks at a time, and emails containing the Emotet trojan continue to represent the largest volume of messages blocked due to the detection of malicious attachments and links. The threat actors behind the trojan made several updates and changes in tactics and techniques in 2018 that enabled more emails to pass through security solutions and make it to end-user inboxes. New research from Menlo Security found that 80 percent of malicious Emotet attachments appear to be Word .doc files; however, they are actually XML files, an attempt to avoid detection and sandbox environments. While Emotet’s capabilities have evolved, emails related to this campaign continue to deliver messages with a payment theme and contain either an attachment or embedded URL that references an invoice. The NJCCIC strongly encourages educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails, including those from known senders. If an Emotet infection is strongly suspected but your anti-virus/anti-malware solution cannot detect or remove it, consider reimaging the affected system’s hard drive. Also, proactively monitor and change passwords to any financial, personal, and business accounts, as well as administrative and domain controller accounts accessed on infected systems, and enable multi-factor authentication where available.

AlertNJCCICEmotet, trojan