The French National Cybersecurity Service issued a warning yesterday about the increase attacks of Emotet targeting private and public administrations across the country. In France, public administration has three sub-sectors: central public administrations (APUC), local government (LUFA) and social security administrations (ASSO).
Emotet, which was originally a bank-of-the-mill Trojan, first appeared in 2014, having now evolved into a malware botnet used by a hacking group known by the names TA542 and Mummy Spider.
This malware is used by hackers to remove other families of malware, including Trickbot Which is used for development Ryuk and Conti ransomware payloads - and QakBot trojans on infected systems.
The French National Information Security Service (ANSSI) said it had observed the targeting of French companies and administrations by Emotet malware for several consecutive days. ANSSI also stressed the seriousness of the situation, as Emotet is now being used to develop other malware that could have a significant impact on victims. In addition, ANSSI pointed out that the botnet targets all business sectors worldwide, with attacks on organizations in France suddenly increasing in recent days.
ANNSI has also released a list of steps that organizations recommend to follow to prevent Emotet infections, but also to have a proper response after a possible infringement of their systems:
• Inform users not to enable macros in attachments, watch out for them e-mail receive and reduce the execution of macros.
• Restrict Internet access for all agents to a controlled "white list."
• Disconnect compromised machines from the network without deleting data.
• Send the samples (.doc and .eml) available to you for analysis to ANSSI to identify the IoCs that can be notified. This is very important as the intruder infrastructure is evolving frequently, so access to recent samples is essential.
This notification comes after the Emotet malware botnet came back with a huge one campaign malicious spam - which may appear as payment reports, invoices, employment opportunities and shipping information - for the delivery of malicious documents Word and attached spreadsheets, from 17 July.
According to researcher James Quinn, Emotet last appeared on February 7, 2020, with the malware remaining "quiet" for five months and not sending spam until July. Furthermore, the Microsoft stated that since its reappearance on July 17, Emotet has continued its activities with daily spam messages in more than 500.000 emails every day (except weekends) from 2:00 a.m. Pacific time (UTC -7).
Upon its return, Emotet began installing the TrickBot trojan on infected computers Windows, to replace TrickBot payloads and spread QakBot malware. According to reports, QakBot will deliver the ProLock ransomware as a payload to some of the systems initially compromised by Emotet. In addition, Emotet, which threatens companies to a significant degree according to the warning issued by France, uses stolen attachments to improve the authenticity of its malicious emails. Inserts malicious URLs or attachments to new emails that attach to existing conversations. Finally, since returning to the Internet, Emotet has taken over first place in a list of the top 10 malware executives analyzed on the interactive malware analysis platform Any.Run.
Greek
Chinese (Simplified)
English
Greek
Russian