Emotet is back and phishing state and local governments, CISA warns

The credential-stealing malware took an extended spring break, but it's returned with a vengeance according to an alert from CISA and the MS-ISAC.
CISA sign
(Scoop News Group)

The recent resurgence of Emotet, a credential-stealing malware that’s often been seen as a precursor to ransomware attacks, includes a significant increase in the number of phishing emails targeting state and local governments, according to an alert published Tuesday by the Cybersecurity and Infrastructure Security Agency.

According to cybersecurity agencies and industry researchers, Emotet — after disappearing for four months beginning in February — is once again “one of the most prevalent ongoing threats” against state and local governments, read the advisory, which CISA published in conjunction with the Multi-State Information Sharing and Analysis Center. In the past, malicious actors using Emotet often used it to steal credentials from victims in order to install Trickbot, a Trojan used in turn to download Ryuk ransomware, which has attacked scores of state and local governments since it was first detected in 2018.

But after its extended spring break, Emotet appears to be back with new tactics. In July, researchers detected a new wave of phishing emails targeting U.S. businesses with subject lines capitalizing on the COVID-19 pandemic. The following month brought a 1,000% increase in the number of downloads of the Emotet loader in attached files, including a sharp uptick in the number of attacks in state and local government organizations monitored by CISA and the MS-ISAC.

And though antivirus software vendors issued updates that reduced the number of downloads of malicious attachments — often presented in the form of a Microsoft Word document — Emotet made more adjustments in September, the alert reads. Microsoft researchers found the Emotet downloader is now contained in a password-protected archive file, like a zip file, to get around the security gateways protecting victims’ email accounts.


“These email messages purport to deliver documents created on mobile devices to lure targeted users into enabling macros to ‘view’ the documents—an action which actually enables the delivery of malware,” the CISA alert reads.

Palo Alto Networks discovered that Emotet actors sometimes engage in “thread hijacking,” a technique that involves glomming on to a legitimate email chain by stealing it from an already-infected user and replying to it under a spoofed identity, malicious attachment included, according to the alert.

Hackers using Emotet are also continuing to work timely content into their phishing attempts, according to research published last week by Proofpoint. Many recent malicious emails have pulled language from the Democratic National Committee’s website, and included files named “Team Blue Take Action,” CyberScoop reported last week.

The new CISA advisory recommends several steps that state and local IT organizations can take to reduce the risk of a successful Emotet attack, including blocking attachments with file extensions commonly associated with malware, such as .exe, .dll and .zip. It also suggests implementing or strengthening firewalls on both email servers and individual work stations, blocking suspicious IP addresses at the firewall and enforcing the use of multi-factor authentication.

The Emotet alert also follows a detailed guide to ransomware CISA and the MS-ISAC released last week.

Latest Podcasts