The Cybersecurity and Infrastructure Security Agency (CISA) released an alert to inform of a surge in Emotet phishing attacks against US state and local governments. The alert said Emotet attacks have been significantly increasing since August 2020.
“Since July 2020, CISA has seen increased activity involving Emotet-associated indicators. During that time, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian executive branch networks, has detected roughly 16,000 alerts related to Emotet activity. CISA observed Emotet being executed in phases during possible targeted campaigns. Emotet used compromised Word documents (.doc) attached to phishing emails as initial insertion vectors,” the agency said.
“This increase has rendered Emotet one of the most prevalent ongoing threats,” CISA added.
The agency also observed Emotet-related traffic over ports 80, 8080, and 443, as well as one instance where an Emotet-related IP attempted to connect over port 445, suggesting the possible use of Server Message Block (SMB) exploitation frameworks along with Emotet.
The Emotet banking trojan was first discovered in 2014. It was originally intended as a banking malware designed to steal users’ sensitive and private information, however, over the time Emotet evolved into more complex malware containing worm-like capabilities, as well as spamming and malware delivery services.
“Emotet is difficult to combat because of its “worm-like” features that enable network-wide infections. Additionally, Emotet uses modular Dynamic Link Libraries to continuously evolve and update its capabilities,” CISA emphasized.