Advisories

Windows computers, networks and servers.

CERT NZ has seen an increase in Emotet activity in New Zealand, spreading via email. The emails contain malicious attachments or links that the receiver is encouraged to download. These links and attachments may look like genuine invoices, financial documents, shipping information, resumes, scanned documents, or information on COVID-19, but they are fake.

Emotet is designed to steal login credentials for email accounts configured on infected systems. The compromised credentials are subsequently passed to spam bots which send out large numbers of spam emails to further spread the malware. Or, they may steal information that’s in your mailbox, and use it to send emails from somewhere else. For example, they may use the content of an existing email conversation as a pretext to make the email look legitimate.

Emotet is also used to install other malware such as Trickbot and QBot onto a system. These may be used to provide access to attackers who carry out network compromise and data exfiltration, and often install ransomware such as Ryuk, Maze, Conti, or ProLock throughout a network.

Anyone can be targeted by Emotet, including individuals and businesses.

You may receive emails from people in your contact list advising that they’ve received phishing emails from you containing malware. As malware continues to evolve, anti-virus software does not always detect infections. The following sources provide information which may help you identify infected computers in your environment:

• Japan CERT publishes a tool that you can use to check for emotet infection on a computer:
  https://github.com/JPCERTCC/EmoCheck External Link

• Check your egress network logs (http proxy, DNS logs) for any connection to known Emotet Command and Control (C2) hosts. A provider of lists of known malware C2 is Feodo Tracker: https://feodotracker.abuse.ch/browse/ External Link
• Urlhaus link as a feed of URLs associated with emotet:
  https://urlhaus.abuse.ch/browse/tag/emotet/ External Link
• Cryptolaemus group provides up to date information about Emotet including IOC here: https://paste.cryptolaemus.com/ External Link

As Emotet is spread via documents with malicious macros, it is important that you take the following measures:

• Disable macros within MS Office. Only enable macros that are digitally signed or from trusted locations
  https://www.cert.govt.nz/it-specialists/critical-controls/secure-defaults-for-macros/

• Ensure your anti-virus software on your endpoint device is active and up to date
• Restrict PowerShell to only executing signed scripts
• Apply the principles of least privilege
  https://www.cert.govt.nz/it-specialists/critical-controls/principle-of-least-privilege/
• Use of mail and web filters to block known Emotet documents and C2
• Application whitelisting
  https://www.cert.govt.nz/it-specialists/critical-controls/application-whitelisting/

If your system has been affected by the Emotet malware, we recommend that you:

• Isolate the infected computer as soon as possible
• Check for any other infected computers in your environment
• Re-image and patch the computer(s)
• Change all credentials, especially local admin and domain admin passwords
• Notify everyone in your contact list and advise them not to open any attachments in emails that appear to have come from you
• Review your mail and web filtering solutions
• Review your antivirus solution
• Enable PowerShell command logging to let you detect infected computers
• Maintain an offline backup of your systems.
  https://www.cert.govt.nz/it-specialists/critical-controls/implement-and-test-backups/
• Network segregation
  https://www.cert.govt.nz/it-specialists/critical-controls/network-segmentation-and-separation/