New Zealand’s CERT (Computer Emergency Response Team) reported that they had seen a spike in Emotet activity targeting New Zealand organisations. Emotet first emerged in 2014. At the time, Emotet was designed to be a banking trojan. It’s goal was to infiltrate systems and steal sensitive information. More recently, Emotet versions have evolved to add more functionality like enabling spam campaigns and serving as a delivery tool for other malware. Emotet has reportedly spread other banking trojans and ransomware. Like other malware threats with long lifespans, Emotet is continually developing and uses a variety of methods to ensure infection, achieve persistence and evade detection.
The recent campaign in New Zealand employs a tried and true method to infiltrate systems. The cybercriminals are using malicious emails to infect their targets. Those emails contain malicious download links or compromised attachments. The attachments may pose as legitimate documents like invoices, CVs, shipping data and others. In reality, they are macro-enabled documents and they facilitate the contact with Emotet’s C2 servers to deliver the payload.
One of the functions of the current versions of Emotet is to steal login credentials for email accounts accessible on the infected machine. The end goal of this particular aspect of Emotet is to further spread the trojan. These credentials can either be used in future spam email campaigns or Emotet can use them to send malicious emails to the contacts in the compromised account.
Emotet can also install other threats. The list of malware Emotet can install is long and varies from campaign to campaign but Emotet is known to have delivered Trickbot and QBot. In turn, cybercriminals can utilize Trickbot and QBot to gain access to a network and steal data or install ransomware. Conti, Maze, Ryuk, and ProLock are just some of the ransomware threats that cybercriminals may use to infect a network.
NZ CERT warns that Emotet can target both individuals and organisations. Everyone should be on the lookout for suspicious activity. For security experts that’s a part of their job and they know full well what to do. However, individuals may not be fully aware of the symptoms. In the case of a trojan like Emotet it’s very likely the victim may receive emails from their contacts saying the latter have received phishing messages from the victim. Cyber security software can certainly help in many cases, and it’s a must for everyone these days.