CISA Sounding Alarms Regarding Increased Emotet Attacks On Governments

Reading Time: 5 minutes

“This increase has rendered Emotet one of the most prevalent ongoing threats,” the CISA alert from Tuesday

Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding the dramatic uptick of confirmed Emotet phishing attacks since July.

The call has requested all entities, especially state and local governments, to increase their defenses and train their users to not fall victim to the Emotet Trojan.

As if the world we live in was not presenting enough challenges with COVID-19, social unrest and pre-election chaos – now – inject a malware attack that has the ability to self-propagate, defeat multiple defenses and trick users into expediting it’s spread.

Emotet turns your computer into a ‘bot’ or ‘zombie’ that can be controlled by the hacker group to perform other crimes — without your OS or anti-malware noticing – one of which is sending more spam emails infecting more people with Emotet.”

Bryan Becker – WhiteHat Security

CISA has an executive branch security protection tool they have called EINSTEIN Intrusion Detection System, which since July has reported more than 16,000 instances of the malware. These attacks have been identified as potentially targeted campaigns by using an infected Word document to deliver the initial infection.

What Is Emotet?

Originally conceived as a way to attack targeted banks in 2014, Emotet has continued to evolve from a primitive thought to a well oiled machine capable of many things the original was not.

By 2019 it has emerged as a social engineering tools, complete with phishing emails, messages, headlines and direct user interaction. By this time, the bad guys not only had a way of doing bad but exporting the details along the way.

Fast forward to February of 2020 and this trojan received an upgrade – one that made it capable of self-proliferation across Wi-Fi Networks.

Binary Defense’s research James Quinn had won a brief victory fighting Emotet by exploiting a kill switch within the malware, effectively neutering the spread in early August.

Regardless of the small wins that have occurred over the past few months, Emotet remains an active and increasing threat. In early October it has been reported that Emotet hit hundreds of U.S. Organizations such as the Democratic National Committee among other political organizations.

“It’s mature, having been around in various forms since 2014, but it is always mutating and continues to evade detection by antivirus (AV),”

Mark Kedgley, CTO at New Net Technologies (NNT),

“Because of the polymorphic nature of Emotet, AV and other signature-based detection technologies will not be effective,” he said. “Therefore, the best action is to harden the infrastructure and reduce functionality used to infect systems, and also to leverage breach-detection capabilities…which will place a trojan like this right in the cross-hairs.”

“It has strong downloader capabilities, so it’s a carrier or conduit for other hacking tools and malware, such as credential-theft or ransomware. And it has worm capabilities too, designed to spread the malware laterally within a network once it has breached defenses, usually via phishing.”

Mark Kedgley, CTO at New Net Technologies (NNT),

CISA did offer mitigation best practices such as blocking email attachments associated with malware, blocking items that cannot be scanned by antivirus software, restricting browser access and enabling multi-factor authentication where available.

How Has Emotet Changed?

“In one instance, traffic from an Emotet-related IP attempted to connect to a suspected compromised site over port 445, possibly indicating the use of Server Message Block [SMB] exploitation frameworks along with Emotet,”


According to Check Point – the Emotet trojan and it’s variations account for 14% of the impact affecting organizations globally, with Trickbot at 4% and Dridex closely behind at 3%.

As early as February of this year, phishing emails associated with Emotet have made their way to foreign countries focused on spreading the malware.

With a small reprieve, most likely as malicious actors were addressing COVID issues in their own countries, researchers saw an increase again in July this time with a focus on phishing associated with COVID-19 concerns.

Come August – a 1000% spike within the Emoter loader environment gave way to focused attacks moving towards local and state government agencies. Your Digital Mind has not received any confirmation from Federal entities regarding an increase.

September gave way to another surge – Canada, France, Japan, New Zealand, Italy and the Netherlands each having reported successful Emotet attacks. These variations then pushed Trickbot to deliver additional ransomware and Qakbot to extract banking and other sensitive information from the infected machines.

Additional upgrades and advancements over 2020 have included password-protected archive files to get past many of the best email security gateways. Palo Alto Networks reported that researchers are seeing instances of ‘thread jacking’ which is where an email chain is infected by replying to the message string with an attachment to deliver the malware payload.

“While the Emotet is an advanced trojan primarily seen to affect desktops, our data shows mobile users encountering phishing attacks at a rate of over 30 percent on their personal devices . . . It’s become more evident through our threat research that adversaries are extending their attacks to mobile. In many cases, desktop and mobile malware will have connections to the same command-and-control infrastructure. Cybercriminals are taking full advantage of this expanded attack surface.”

Steve Banda – Senior Manager Of Security Solutions At Lookout

State and local municipalities – everyone from tribal and territorial nations to state authorities are being strongly encouraged by CISA to review the mitigation guidelines and update as necessary to prepare for the next wave.

Leave a Reply

Your email address will not be published. Required fields are marked *