Cyber Security Bulletin: Increased Threat from Emotet Malware Campaigns

Since July 2020 there has been an increase in malicious activity associated with Emotet malware campaigns. Emotet has been frequently observed working in tandem with Trickbot and Ryuk malware in a persistent attempt to compromise computer systems within Canada. These threats have been successfully used to attack many Canadian companies since 2019.

Emotet is an advanced botnet attached to email. Once a system is infected by Emotet, additional malware, including Trickbot and Ryuk may be implanted on the system resulting in data exfiltration or attempts to extort the victim.

Emotet malware can be spread through untargeted bulk spam emails (such as shipping notifications, or “past-due” invoices), as well as what appear to be targeted malicious emails (spear phishing). Targeted emails are particularly effective as they appear to come from a trusted source, often from someone with whom the email recipient has recently been in communication.

Furthermore, Emotet email campaigns have been observed to be leveraging both ‘thread hijacking’, a technique where malicious emails are inserted into existing email threads, and using password-protected zip files to avoid detection by network defenses. These techniques result in convincing messages that an unaware recipient may believe to be trustworthy and encouraged to download malware by opening an attachment (a macro-enabled Microsoft Word document or PDF) or clicking a malicious link.

SUGGESTED ACTIONS

• Scan all incoming and outgoing e-mails to detect threats and prevent executable files or macro enabled documents from reaching end users.
• Always exercise caution when receiving an unexpected email or email reply containing an attachment or URL, even when from a trusted source. If the email seems unusual, contact the sender to confirm the authenticity of the attachment.
• Avoid enabling macros within a document received via email.
• Use anti-virus protection and ensure that it is diligently kept up to date.
• Implement architectural controls for network segregation and protection.
• Perform daily backups of all critical systems, maintain offline and offsite copies of backup media and periodically test data restoration processes from backups, including key databases to ensure integrity of existing backups and processes.
• Ensure operating systems receive the latest patches.

Please reach out to us with your concerns or for more information on how to protect yourself or your business.