America's Cybersecurity and Infrastructure Security Agency (CISA) issued a warning yesterday after observing an increase in the number of targeted cyber-attacks that utilize Emotet.
Emotet functions as a modular botnet that can steal data, send malicious emails, and act as a dropper, downloading and installing a wide range of malware onto a victim's computer. This sophisticated strain of malware was developed by threat group TA542.
CISA said: "Emotet primarily spreads via malicious email attachments and attempts to proliferate within a network by brute forcing user credentials and writing to shared drives. If successful, an attacker could use an Emotet infection to obtain sensitive information."
The agency warned that such an attack could result in the loss of money and of proprietary information as well as cause "disruption to operations and harm to reputation."
CISA advised users and system administrators to block email attachments such as .dll and .exe, which are commonly associated with malware, and to block any email attachments that cannot be scanned by antivirus software.
Further protection measures suggested by CISA are to implement firewalls, an antivirus program, and a formalized patch management process.
To stop a virus from running rampant around your network, CISA recommended segmenting and segregating networks and functions.
The warning comes a week after cybersecurity firm Proofpoint announced that Emotet was back and causing trouble with a new campaign after taking what appeared to be a Christmas break. Researchers spotted Emotet going after targets in the pharmaceutical industry in the US, Canada, and Mexico on January 13.
By Tuesday, the attackers had widened their net to go after victims in multiple industries in Australia, Austria, Germany, Hong Kong, Italy, Japan, Singapore, South Korea, Spain, Switzerland, Taiwan, and the United Arab Emirates.
"Based on past activity and what our researchers are seeing, organizations around the globe should take Emotet’s return seriously," wrote researchers. "On Monday alone we saw nearly three quarters of a million messages and they’re already fast approaching one million messages total."
This mass of messages, although large, isn’t the highest volume the researchers have ever seen from the TA542 group. Previously, researchers have seen the threat actors send over one million messages in just one day.