Advisory 9

TLP Rating: White

Emotet Malware Campaign

CERT Vanuatu (CERTVU) and the Office of the Chief Information Officer (OGCIO) provides the following advisory. We acknowledge the Australian Cyber Security Centre (ACSC) who has alerted us of this threat.

Overview

This is to advise all Government Institutions, Financial institutions and Private Sector users that a Malware called Emotet is currently on an alert to advice users of malicious emails designed to spread Emotet across a variety of Government, Financial and private sectors within Vanuatu.

Emotet provides an attacker with a foothold in a network from which additional attacks can be performed, often leading to further compromise through the deployment of ransomware.

Details

Emotet is most commonly spread via malicious emails containing Microsoft Office attachments, usually Microsoft Word (.doc, .docx) documents. There have also been reports of PDF attachments containing Emotet. 

These attached files contain macros that download and install the Emotet malware when opened. Emotet can also be spread via embedded URLs in malicious emails. CERT Vanuatu has received reports of Emotet being spread through both untargeted bulk spam emails, as well as what appears to be highly targeted spear-phishing emails.

Upon infection of a machine, Emotet attempts to spread within a network by brute forcing user credentials, and writing to shared drives. Emotet often downloads a secondary malware onto infected machines called Trickbot. 

Trickbot is a modular multi-purpose Command and Control (C2) tool that allows an attacker to harvest emails and credentials, move laterally within a network using exploits like EternalBlue, and deploy additional malware to the infected network.

 

Mitigation Process

 

CERT Vanuatu recommends the implementation of the below Essential mitigations to mitigate threats to ICT systems. Specifically, to combat the threat of Emotet to ICT systems, agencies should implement the following mitigations.

Configure Microsoft Office macro settings

In most cases, Emotet’s initial infection of a network was via an embedded macro in a Microsoft Office or PDF document. Implementing this security control will assist in reducing the likelihood of initial access via this method.

CERT Vanuatu recommends organisations review the use of macros within their environments, reviewing the guidance Microsoft Office Macro Security. Where possible, CERTVU recommends blocking macros from the internet and only allow macro’s to execute from Trusted Locations where write access is limited to personnel whose role is to vet and approve macro.

Patch Operating Systems

Emotet commonly deploys Trickbot which has been observed using EternalBlue to move laterally from the initial access point within a network to other hosts.

Maintaining a regular patch process and applying patches to product, restricts the availability of exploits that Emotet can use to move laterally within a network, limiting the number of hosts impacted by a successful infection.

Daily backups

CERT Vanuatu recommends maintaining isolated offline backups of your network to allow recovery in the event of widespread Emotet infection, or the deployment of ransomware.

Implement additional security controls

CERT Vanuatu publishes a comprehensive list of Strategies to Mitigate Cyber Security Incidents. To specifically combat the threat of Emotet to ICT systems, agencies should implement the following mitigations.

Email Content scanning

Emotet is most commonly spread via emails containing malicious attachments. Email content filters and dynamic email analysis sandboxing capabilities could be put in place to prevent malicious content from reaching users and reduce the likelihood of compromise. To compliment this, antivirus software using heuristics and reputation ratings should also be installed to identify and prevent malicious attachments that do make it to end users.

Network Segmentation

Emotet and Trickbot have techniques that can be used to move laterally within an organisations network. Organisations should partition networks into smaller sections in order to separate and segregate communications between specific hosts and services. Appropriate segmentation and segregation will limit the extent that a successful Emotet infection has on a network.

Update security appliances and scan for malicious indicators

Apply the latest Indicators of Compromise (IOCs) to your organisation’s gateway and firewalls for both inbound and outbound traffic. If possible, add and scan for indicators on systems in organisations using antivirus or host based security tools.

 

Incident Reporting

 If you have questions about this advice or have indications that your environment has been compromised, contact CERT Vanuatu by emailing This email address is being protected from spambots. You need JavaScript enabled to view it. or calling 33380.