Alert1/2020
Emotet is a malware spread via email in the name of Finnish organisations. The objective of the malware attack is to steal information from organisations, infiltrate a targeted network and in some cases to launch a ransomware attack. The attack campaign has been active since August 17th 2020.
Target group of the alert
The Emotet malware is an infostealer. It steals emails, contact lists, passwords, payment information and other data on a computer system. A malicious email attachment can be a PDF document or an Office document that contains macros and infects a computer with malware. Emotet may also download other malware onto the computer, for example ransomware. Emotet instance can be modified from case to case and is not always identified by all anti-virus software.
Emotet does not spread independently from one workstation to another, but sends stolen information to a command-and-control server. The stolen information contains often emails, the contents of which the malware exploits for spreading. It spoofs a new email reply to an existing conversation so that the message appears credible. The fake message contains a malicious attachment. The title and contents of the message may have been copied from the genuine messages.
Possible solutions and restrictive measures
It is important to inform and educate your personnel about malicious attachments. You should instruct your personnel to not open suspicious attachments. In this case, messages with attachments may be highly credible. You should train your personnel to recognize fake sender information. Update databases for antivirus software and strengthen your organisation’s policy for delivering email attachments.
- Warn your personnel about the malware threat regarding email attachments. Office macro files in particular are exploited for malware (.doc, .docx, .xls, .xlsx).
- Try to categorically prevent running macros in Office products. You should not click the “Enable content” button in any attachment without thinking.
- Try to restrict running Powershell commands on users’ workstations.
- Update your databases for recognition of antivirus software and email filters.
- In case you suspect an infection, control your outgoing traffic (number, volume, objects) for a possible data leak.
More Information
Identification information of Emotet is actively updated on the website of the Cryptolaemus team: https://paste.cryptolaemus.com/ (External link)
On Twitter, most recent information is available on the Cryptolaemus account (External link)
REPORT EMOTET OBSERVATIONS
Contact the NCSC-FI if you observe spread of the Emotet malware and infections related to it. You can use the Report to us (External link) form or send email to cert@traficom.fi.