Getty Images

DHS CISA Alerts to Spike in Emotet Malware Cyberattacks

Days after Proofpoint discovered the destructive malware had reemerged targeting the pharma sector, DHS CISA sent an alert to warn businesses of a spike in targeted Emotet cyberattacks.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency is urging organizations across all sectors to be on guard and ensure cybersecurity best practices, after discovering a spike in targeted Emotet malware cyberattacks.

“Emotet is an advanced, modular banking trojan that primarily functions as a downloader or dropper of other banking trojans,” according to CISA. “Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection.”

“It has several methods for maintaining persistence, including auto-start registry keys and services,” it continues. “It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities…. [It’s also] Virtual Machine-aware and can generate false indicators if run in a virtual environment.”

In its current form, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator.

The alert comes just days after Proofpoint researchers reported the notorious, destructive malware had reemerged after a long lull, targeting North American pharmaceutical companies and then increasing its attack surface.

Emotet is a modular botnet capable of downloading and installing a variety of malware variants, along with stealing data and sending malicious emails from its victims’ accounts. It can easily proliferate across networks through infected, connected devices to launch more cyberattacks.

Its hackers, known as TA542, have steadily improved the sophistication of its attack methods, often pairing the malware with other effective threats.

“Emotet primarily spreads via malicious email attachments and attempts to proliferate within a network by brute forcing user credentials and writing to shared drives,” CISA officials wrote. “If successful, an attacker could use an Emotet infection to obtain sensitive information.”

“Such an attack could result in proprietary information and financial loss as well as disruption to operations and harm to reputation,” they added.

Organizations are being urged to shore up their security defenses to defend against Emotet. Administrators should block email attachments commonly associated with malware or that can’t be scanned by antivirus software.

Further, organizations should implement group policy object and firewall rules, as well as an antivirus program. A formalized patch management process is also recommended, in addition to segmenting and segregating networks and functions.

Filters should be applied at the email gateway and suspicious IP addresses blocked at the firewall. CISA also recommends adhering to a principle of least privilege, while implementing a Domain-Based Message Authentication, Reporting and Conformance (D-MARC) validation system.

Lastly, administrators should be sure to limit unnecessary lateral communication.

Next Steps

Dig Deeper on Cybersecurity strategies