Skip to main content

Advisory 2020-017: Resumption of Emotet malware campaign

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has observed the resumption of an ongoing and widespread campaign of malicious emails designed to spread the Emotet malware across a variety of sectors in the Australian economy, including critical infrastructure providers and government agencies.

Overview

In 2019, the ACSC issued Advisory 2019-131a: Emotet malware campaign recommended actions regarding the ongoing threat posed by the Emotet malware.

Emotet is malware that provides an attacker with a foothold in a network from which additional attacks of greater consequence can be performed, often leading to further network compromise and disruption via ransomware.

Details

Emotet is most commonly spread via malicious emails containing attached Microsoft Office files, most often Microsoft Word documents (.doc, .docx) however, Microsoft Excel documents (.xls, .xlsx) and PDF attachments (.pdf) are also common.

These attached files contain macros that download and install the Emotet malware when opened. Emotet can also be spread via embedded URLs in malicious emails. The ACSC has received reports of Emotet being spread through both untargeted bulk spam emails, as well as what appears to be targeted spear-phishing emails.

The ACSC has observed a recent increase in the Emotet malware using email thread ‘hijacking’ to spread itself. This technique involves the malware stealing an infected victim’s email contacts and recent email threads and exfiltrating this information to an actor-controlled Command and Control (C2) server. The actor then sends further phishing emails containing a malicious Emotet attachment, leveraging existing email threads with uninfected contacts, and spoofing the infected victim’s email address.

Upon infection of a machine, Emotet is known to spread within a network by brute forcing user credentials, and writing to shared drives. Emotet often downloads secondary malware onto infected machines to achieve this, most frequently Trickbot.

Trickbot is a modular multi-purpose Command and Control (C2) tool that allows an attacker to harvest emails and credentials, move laterally within a network using exploits like EternalBlue, and deploy additional malware to the infected network.

The ACSC is aware of a number of Emotet/Trickbot infections leading to ransomware attacks, including an attack on the Victorian Health sector in 2019 using the Ryuk ransomware variant.

Attacks against Australian businesses and organisations are ongoing and pose a significant risk to Australian entities.

Recommendations

Emotet download domains are extremely fast-cycling, and it is impossible to maintain an accurate, up-to-date list of indicators of compromise. While domain and IP address blocking may be effective temporarily, this is unlikely to provide long term protection.

The ACSC recommends organisations consider the following actions:

Implement Essential Eight security controls

The ACSC recommends the implementation of the ASD Essential Eight mitigations to mitigate threats to ICT systems. Specifically, to combat the threat of Emotet to ICT systems, agencies should implement the following mitigations:

Configure Microsoft Office macro settings

In most cases, Emotet’s initial infection of a network occurs through an embedded macro in a PDF or Microsoft Office document. Implementing this security control will greatly assist in reducing the likelihood of initial access via this method.

Emotet is known to use Windows PowerShell within Microsoft Office macros. Hardening workstations to limit PowerShell access when not required will help to protect yourself from common Emotet documents.

The ACSC recommends organisations review the use of macros within their environments, in line with guidance provided in Microsoft Office Macro Security. Where possible, the ACSC recommends blocking macros from the internet and only allow macros to execute from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros.

Patch operating systems

Emotet commonly deploys secondary malware such as Trickbot which has been observed using the EternalBlue exploit to move laterally from the initial access point within a network to other hosts.

Maintaining a regular patch process (as detailed in the ACSC’s Assessing Security Vulnerabilities and Applying Patches product) restricts the availability of exploits that Emotet can use to move laterally within a network, limiting the number of hosts impacted by a successful infection.

Daily backups

The ACSC recommends maintaining isolated offline backups of networks to allow recovery in the event of widespread Emotet infection, or the deployment of ransomware.

Implement additional security controls

The ACSC publishes a comprehensive list of Strategies to Mitigate Cyber Security Incidents. To specifically combat the threat of Emotet to ICT systems, agencies should implement the following mitigations.

Email content scanning

Emotet is most commonly spread via emails containing malicious attachments. Email content filters and dynamic email analysis sandboxing capabilities could be put in place to prevent malicious content from reaching users and reduce the likelihood of compromise. To complement this, antivirus software using heuristics and reputation ratings should also be installed to identify and prevent malicious attachments that do make it to end users.

Network segmentation

Emotet and Trickbot have techniques that can be used to move laterally within an organisations network. Organisations should partition networks into smaller sections in order to separate and segregate communications between specific hosts and services. Appropriate segmentation and segregation will limit the extent to which a successful Emotet infection may impact a network.

More details on considerations and techniques to perform network segmentation and segregation can be found in the ACSC’s Implementing Network Segmentation and Segregation product.

Develop a plan

The ACSC has published tips to proactively protect yourself from ransomware. Create a response plan to allow your organisation to respond in the event of an Emotet or ransomware infection. Most importantly, affected machines/networks should be immediately quarantined and disconnected from the internet.

Alert and educate staff

Consider sending out an organisation wide alert to raise awareness of the dangers associated with opening attachments on unusual emails. Consider implementing an education program to improve staff awareness of cyber security, or how to spot suspicious emails. For more details on how to implement a successful staff awareness program see the ACSC’s improving staff awareness publication.

Incident Reporting

If you have questions about this advice or have indications that your environment has been compromised, contact the ACSC by emailing asd.assist@defence.gov.au or calling 1300 CYBER1 (1300 292 371).

Indicators of Compromise (IoCs)

Emotet download domains are extremely fast-cycling, and it is impossible to maintain an accurate, up-to-date list of indicators. While domain and IP address blocking may be effective temporarily, this is unlikely to provide long term protection, and the ACSC recommends implementing effective hardening measures as detailed above.