“Known assailant” back with a vengeance

In this post there is specific focus on an infamous threat that resurfaced during the summer.

Following several news articles in Nordic media of phishing attacks towards public services in late august and, in addition, sources that indicate that the Emotet trojan resurfaced in mid-july, several sources online are now indicating a massive campaigning not only in the Nordics but worldwide.

Emotet is an e-mail trojan that is often used as the entry point to target organizations. It´s success has largely been brought on by the craftiness of mimicking valid e-mails and attachments, utilizing macros in Word and Excel files. In addition, its evolution of attack techniques adds to that success.
For example, there are indications that the latest strain is using stolen attachments to add credibility to the forged e-mails.

Emotet is often paving way for at least two know other assailants in TrickBot and QakBot, to further spread laterally and steal credentials.

How to protect against Emotet (as well as Trojans and  Malware in general):

  • Be extra suspicious and cautious towards e-mails and attachments, even from known sources
  • Report suspicious e-mails to your Security organization for investigation
  • Make sure you have an up to date security program, preferably with anti-exploit capabilities
  • Make sure your systems are patched and up to date with the latest security patches
  • Enforce proper network segmentation
  • Enable MFA (Multi factor authentication on your e-mail service)
  • Block networks that generally do not need access (TOR, VPN etc.)

If you get infected:

  • Report it to your security organization or SIRT immediately
  • It is strongly advised that you perform and audit of your network and e-mail accounts to make sure other devices are not compromised.

Further reading: