The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has warned of an ongoing and widespread phishing campaign designed to spread Emotet malware throughout Australia.
An excerpt from the ACSC advisory:
“The ACSC has received dozens of confirmed reports of Emotet infection across a variety of sectors in the Australian economy, including critical infrastructure providers and government agencies. Emotet provides an attacker with a foothold in a network from which additional attacks can be performed, often leading to the deployment of ransomware.”
As always, organizations and users should be wary of opening up Office (such as Word docs) or PDF documents sent in email. Especially those emails sent from external or untrusted sources.
Spreading Emotet and Trickbot
The Microsoft Word documents contain macros designed to download and install the Emotet malware once opened. In addition, Emotet also spreads via embedded URLs.
The ACSC also confirmed they have received reports of Emotet spreading by way of bulk spam emails. They also said bad actors are using highly targeted spear-phishing emails as well.
“Upon infection of a machine, Emotet attempts to spread within a network by brute-forcing user credentials, and writing to shared drives,” the ACSC warned in the report.
The ACSC also noted at least 19 successful Emotet infections within Australia. In one incident, an Emotet infection led to Ryuk ransomware attacks on the Victorian health sector.
In addition, Emotet was also seen downloading Trickbot, a secondary malware and multi-purpose command-and-control (C2) tool, onto infected systems.
Last November, researchers from Trend Micro reported that Trickbot added password grabber modules to steal access from several apps and browsers. Consequently, the modular C2 tool can harvest credentials to move laterally within the network using other exploits, such as EternalBlue.
Security experts also observed similar issues over the last couple of years where attackers used Emotet to download other malicious payloads. Examples include IcedID banking trojan, Dridex and ransomware.
In conclusion, the ACSC recommends organizations block macros from running on the internet. Entities should also whitelist the execution of only vetted/approved macros.