The Australian Cyber Security Centre (ACSC) has issued a high alert warning for a new wave of Emotet malware campaigns specifically targeting Australia’s critical infrastructure and other government agencies. Back in 2019, the ACSC had issued a similar red alert for the Emotet malware campaign but over the due course of the pandemic, the number remained below alert levels. However, the ACSC noted that the Emotet campaigns are further used to deploy ransomware attacks and network compromises, and even a small spike in its number of attacks at this moment is unaffordable.
Emotet malware is generally spread through malicious emails (phishing/spear-phishing attacks) containing either MS-Office or PDF file attachments. These attachments contain macros or malicious links, which when enabled or clicked downloads the Emotet malware.
In its latest campaign targeting the Australian services, Emotet operators seem to be using email thread hijacking to spread its vicious circle. The ACSC says, “This technique involves the malware stealing an infected victim’s email contacts and recent email threads and exfiltrating this information to an actor-controlled Command and Control (C2) server. The actor then sends further phishing emails containing a malicious Emotet attachment, leveraging existing email threads with uninfected contacts, and spoofing the infected victim’s email address.”
On successful compromise, Emotet tries to move laterally by using brute force attacks over user credentials and by manipulating the shared drives on the network. Additionally, Emotet is also known to drop secondary payloads such as TrickBot malware/botnet. Trickbot allows an attacker to further harvest emails and credentials and save it to another C2 server. It then moves laterally within a network using exploits to compromise other systems on the infected network.
ACSC’s researchers stated, “Emotet download domains are extremely fast-cycling, and it is impossible to maintain an accurate, up-to-date list of indicators of compromise. While domain and IP address blocking may be effective temporarily, this is unlikely to provide long term protection.”
As a long-term precautionary measure, ACSC gave the following recommendations:
- Hardening of macro settings on all workstations using MS-Office.
- Apply the latest patches to OS.
- Perform a scheduled daily backup of at least critical data, if not all.
- Use email scanning solution for added security other than apt staff training.
- Use network segmentation to avoid spread in case of compromise.
- Immediately alert ACSC and/or other required agencies in case of an attack.
Microsoft Downs TrickBot Operations
As said earlier, Emotet is known to drop secondary payloads such as the TrickBot botnet, and the latest data analyzed by Microsoft – through its MS Office 365 Advanced Threat Detection – suggested that Trickbot had been the most prolific malware operation using COVID-19 themed phishing emails. Owing to these high numbers, Microsoft along with a group of other tech companies including Lumen’s Black Lotus Labs, ESET, Financial Services Information Sharing and Analysis Center (FS-ISAC), NTT, and Broadcom’s Symantec, has collectively taken the fight against the threat actors by trying to shut them off from the backend.
That’s right! Post-approval from the U.S. District Court for the Eastern District of Virginia, the said companies analyzed over 186,000 TrickBot samples to track down the malware’s C2 server and the corresponding IP addresses along with other TTPs applied to evade detection. They have for the moment disabled these IP’s rendering the C2 servers inaccessible and therefore shutting out the operators from accessing the exfiltrated data.