Emotet, a sophisticated Trojan commonly functioning as a downloader or dropper of other malware, resurged in July 2020, after a dormant period that began in February. Since August, CISA and MS-ISAC have seen a significant increase in malicious cyber actors targeting state and local governments with Emotet phishing emails. This increase has rendered Emotet one of the most prevalent ongoing threats.

Emotet is an advanced Trojan primarily spread via phishing email attachments and links that, once clicked, launch the payload ("Phishing: Spearphishing Attachment" [T1566.001 [ https://attack.mitre.org/techn... ]], "Phishing: Spearphishing Link" [T1566.002 [ https://attack.mitre.org/techn... ]]).

To secure against Emotet, CISA and MS-ISAC recommend implementing the mitigation measures described in the Alert at https://us-cert.cisa.gov/ncas/... , which include applying protocols that block suspicious attachments, using antivirus software, and blocking suspicious IPs.

Possible command and control network traffic involved HTTP POST requests to Uniform Resource Identifiers consisting of nonsensical random length alphabetical directories to known Emotet-related domains or IPs with the following user agent string ("Application Layer Protocol: Web Protocols")

Emotet is difficult to combat because of its worm-like features that enable network-wide infections. Additionally, Emotet uses modular Dynamic Link Libraries to continuously evolve and update its capabilities.

Traffic to known Emotet-related domains or IPs occurred most commonly over ports 80, 8080, and 443. In one instance, traffic from an Emotet-related IP attempted to connect to a suspected compromised site over port 445, possibly indicating the use of Server Message Block exploitation frameworks along with Emotet ("Exploitation of Remote Services".

The following timeline identifies key Emotet activity observed in 2020.

* *February*: Cybercriminals targeted non-U.S. countries using COVID-19-themed phishing emails to lure victims to download Emotet.[1 [ https://www.bleepingcomputer.c... ]]

* *July*: Researchers spotted emails with previously used Emotet URLs, particularly those used in the February campaign, targeting U.S. businesses with COVID-19-themed lures.[2 [ https://www.bleepingcomputer.c... ]]

* *August*:
* Security researchers observed a 1,000 percent increase in downloads of the Emotet loader. Following this change, antivirus software firms adjusted their detection heuristics to compensate, leading to decreases in observed loader downloads.[3 [ https://www.hornetsecurity.com... ]]
* Proofpoint researchers noted mostly minimal changes in most tactics and tools previously used with Emotet. Significant changes included:
* Emotet delivering Qbot affiliate partner01 as the primary payload and
* The Emotet mail sending modules ability to deliver benign and malicious attachments.[4 [ https://www.proofpoint.com/us/... ]]

* CISA and MS-ISAC observed increased attacks in the United States, particularly cyber actors using Emotet to target state and local governments.

* *September*:
* Cyber agencies and researchers alerted the public of surges of Emotet, including compromises in Canada, France, Japan, New Zealand, Italy, and the Netherlands. Emotet botnets were observed dropping Trickbot to deliver ransomware payloads against some victims and Qakbot Trojans to steal banking credentials and data from other targets.[5 [ https://www.zdnet.com/article/... ]],[6 [ https://www.bleepingcomputer.c... ]],[7 [ https://www.welivesecurity.com... ]],[8 [ https://www.zdnet.com/article/... ]]

* Security researchers from Microsoft identified a pivot in tactics from the Emotet campaign. The new tactics include attaching password-protected archive files (e.g., Zip files) to emails to bypass email security gateways. These email messages purport to deliver documents created on mobile devices to lure targeted users into enabling macros to view the documentsan action which actually enables the delivery of malware.[9 [ https://www.bleepingcomputer.c... ]]

* Palo Alto Networks reported cyber actors using thread hijacking to spread Emotet. This attack technique involves stealing an existing email chain from an infected host to reply to the chainusing a spoofed identityand attaching a malicious document to trick recipients into opening the file.[10 [ https://unit42.paloaltonetwork... ]]

Once in the target computer, Emotet has been seen
- use two techniques to break passwords - a predefined list and a brute force attack
- to install a module to collect browser passwords
- to use the Windows task scheduler to maintain its persistence
- to add an entry to the HKEY registry to maintain persistence
- scraping e-mail data from Outlook
- executing a power-shell script via cmd.exe which it them uses to download additional modules
- injecting into explorer.exe (file manager) and other processes

Whatever it gleans, "Emotet has been seen exfiltrating system information stored within cookies sent within a HTTP GET request back to its command and control (C2) servers."

Distribution is via a .doc (Microsoft Word) document containing one or more malicious documents that are distributed as an attachment via e-mail.

It is also distributed via links in e-mails, providing more evidence that good e-mail security should ban the display of html mail on users' computers.