Emotet — a sophisticated Trojan commonly functioning as a downloader or dropper of other malware — resurged in July 2020, after a dormant period that began in February. Since August, CISA and MS-ISAC have seen a significant increase in malicious cyber actors targeting state and local governments with Emotet phishing emails. This increase has rendered Emotet one of the most prevalent ongoing threats.

Since July 2020, CISA has seen increased activity involving Emotet-associated indicators. During that time, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected roughly 16,000 alerts related to Emotet activity. CISA observed Emotet being executed in phases during possible targeted campaigns. Emotet used compromised Word documents (.doc) attached to phishing emails as initial insertion vectors. Possible command and control network traffic involved HTTP POST requests to Uniform Resource Identifiers consisting of nonsensical random length alphabetical directories to known Emotet-related domains or IPs with the following user agent string (Application Layer Protocol: Web Protocols [T1071.001]).

Traffic to known Emotet-related domains or IPs occurred most commonly over ports 80, 8080, and 443. In one instance, traffic from an Emotet-related IP attempted to connect to a suspected compromised site over port 445, possibly indicating the use of Server Message Block exploitation frameworks along with Emotet (Exploitation of Remote Services [T1210]). Figure 1 lays out Emotet’s use of enterprise techniques.

Mark Kedgley, CTO at New Net Technologies (NNT), a Naples, Florida-based provider of IT security and compliance software, says, "Emotet is making headlines in the cyber security world for a number of reasons. It's mature, having been around in various forms since 2014, but it is always mutating and continues to evade detection by AV. It has strong downloader capabilities, so is a carrier or conduit for other hacking tools and malware, such as credentials theft or ransomware. And it has WORM capabilities too, designed to spread the malware laterally within a network once it has breached defenses, usually via phishing."

"Because of the polymorphic nature of Emotet, AV and other signature-based detection technologies will not be effective," says Kedgley. "Therefore, the best action is to harden the infrastructure and reduce functionality used to infect systems, and also to leverage breach detection capabilities such as FIM which will place a trojan like this right in the cross-hairs.”

Stephen Banda, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, notes, that while the Emotent is an advanced trojan primarily seen to affect desktops, Lookout data shows mobile users encountering phishing attacks at a rate of over 30% on their personal devices. "This is particularly relevant in this case as phishing is the most common entry point for injecting malware into an environment," says Banda. "It’s become more evident through our threat research that adversaries are extending their attacks to mobile. In many cases, desktop and mobile malware will have connections to the same command and control infrastructure. Cyber criminals are taking full advantage of this expanded attack surface."

Bryan Becker, product manager at WhiteHat Security, a San Jose, Calif.-based provider of application security, adds that “Emotet is one of the reasons why you should never click on links in emails you don’t recognize. "Among other things, Emotet turns your computer into a “bot” or “zombie” that can controlled by the hacker group to perform other crimes, without your OS or anti-malware noticing – one of which is sending more spam emails infecting more people with Emotet.”

To secure against Emotet, CISA and MS-ISAC recommend implementing the following mitigation measures described in the alert, which include applying protocols that block suspicious attachments, using antivirus software, and blocking suspicious IPs.

Mitigations

CISA and MS-ISAC recommend that network defenders—in federal, state, local, tribal, territorial governments, and the private sector—consider applying the following best practices to strengthen the security posture of their organization's systems. System owners and administrators should review any configuration changes prior to implementation to avoid unwanted impacts.

• Block email attachments commonly associated with malware (e.g.,.dll and .exe).
• Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
• Implement Group Policy Object and firewall rules.
• Implement an antivirus program and a formalized patch management process.
• Implement filters at the email gateway, and block suspicious IP addresses at the firewall.
• Adhere to the principle of least privilege.
• Implement a Domain-Based Message Authentication, Reporting & Conformance validation system.
• Segment and segregate networks and functions.
• Limit unnecessary lateral communications.
• Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Enforce multi-factor authentication.
• Exercise caution when opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.
• Enable a firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
• Monitor users' web browsing habits; restrict access to suspicious or risky sites.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
• Scan all software downloaded from the internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate access control lists.
• Visit the MITRE ATT&CK Techniques pages (linked in table 1 above) for additional mitigation and detection strategies.
• See CISA’s Alert on Technical Approaches to Uncovering and Remediating Malicious Activity for more information on addressing potential incidents and applying best practice incident response procedures.
• See the joint CISA and MS-ISAC Ransomware Guide on how to be proactive and prevent ransomware attacks from happening and for a detailed approach on how to respond to an attack and best resolve the cyber incident.

For additional information on malware incident prevention and handling, see the National Institute of Standards and Technology Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops.