MS-ISAC Warning About Emotet Malware

Austin Wolfson
Jan 23, 2019 2:14:46 PM

pexels-photo-97077

In this blog we’ll be discussing the Emotet malware program, particularly regarding the most recent and ongoing malspam campaign using the Multi-State Information Sharing and Analysis Center (MS-ISAC), and State, Local, Tribal, and Territorial (SLTT) branding.

 What is Emotet?

Before we go into Emotet, we should define explain what malware actually is.  Malware is software that is designed to cause damage to a host after it is implanted on a target.  These types of attacks usually come in the form of executables or scripts. The Emotet malware program was first identified in 2014 and is a member Feodo Trojan family of trojan malware. Its delivery comes in the form of fake invoices or JavaScript (.JS) files. When these files are executed, Emotet can then infect the current host. Once Emotet has infected a host, the malicious file is able to intercept, log, and save outgoing network traffic via a web browser. It can also scrape data from a victim’s emails. This breach of sensitive data has often led to compromised banking accounts or email data. The program has also been documented to change its behavior to mislead investigators.

 Current Threat

A recent and ongoing Emotet malspam campaign has been identified as using the MS-ISAC as well as SLTT government branding, and delivering via emails containing fake invoice Word documents with attachments. The malicious email will spoof the MS-ISAC or SLTT email addresses, with domains ending in “.mx”. The body of the email will request missing paperwork or an invoice, instructing the user to open the attached file. When the document is opened a macro runs that downloads Emotet. The five known spreader modules are as follows:

  • exe
  • WebBrowserPassView
  • Mail PassView
  • Outlook scraper
  • credential enumerator

Once Emotet is downloaded, it often compromises every computer on the network.

 Prevention Recommendations to prevent an Emotet attack:

The following are preventive actions and best practices your organization can take to ensure your risk of getting infected is minimized.  Please be aware that most of these recommendations are technical and require elevated privileges.  It is recommended that these recommendations get shared with your internal IT team.

  • Use Group Policy to set a Windows Firewall rule to restrict inbound SMB communication between client systems.
  • Use antivirus programs on clients and servers, with automatic updates of signatures and software.
  • Disable all macros except those which are digitally signed.
  • Apply appropriate patches and updates immediately after appropriate testing.
  • Implement filters at the email gateway to filter out emails with known malspam indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall.
  • Consider implementing the Domain-based Message Authentication, Reporting & Conformance (DMARC) email protocol.

 Contact Us!

Compass IT Compliance has been conducting Security Awareness Training, Social Engineering and Phishing Assessments with clients since 2010, helping employees ready themselves for this level of cyber-attack. The best form of security is prevention, and that begins with preparing your work force to properly identify a threat when it appears! Are your employees prepared to combat malware attacks when they arise? Our team is committed to partnering with you to provide you with expert knowledge around your risks and steps you can take to mitigate those risks. If you have any questions or want to talk to one of our security professionals, contact us and we can get a call scheduled!

Sources:

https://www.us-cert.gov/ncas/alerts/TA18-201A

 

You May Also Like

These Stories on Cybersecurity

Subscribe by Email

No Comments Yet

Let us know what you think