Threat Advisory: Increased Emotet Malware Activity Detected

January 23, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory on the increasing use of targeted Emotet malware attacks. Emotet is a Trojan used by threat actors to act as a downloader, or dropper, of other malware.

The most common delivery method for Emotet is via the use of spam emails that have a malicious Microsoft Word or Excel document attachment used to exploit vulnerabilities in Microsoft Office. Cyber criminals often leverage email subject lines, such as requested payments/invoice or delivery notifications for tracking shipments, that relay a sense of urgency for unsuspecting users to download the malicious attachment.

Emotet spreads through internal networks by leveraging brute force attacks to gain access to shared drives. Successful Emotet attacks can allow cyber criminals to access sensitive and proprietary data, resulting in disruption of business operations and loss of the organization’s reputation.

CISA recommends the following steps as best practices to defend against Emotet:

  • Block email attachments commonly associated with malware (e.g.,.dll and .exe).
  • Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
  • Implement Group Policy Object and firewall rules.
  • Implement an antivirus program and a formalized patch management process.
  • Implement filters at the email gateway, and block suspicious IP addresses at the firewall.
  • Adhere to the principal of least privilege.
  • Implement a Domain-Based Message Authentication, Reporting & Conformance (DMARC) validation system.
  • Segment and segregate networks and functions. 

In addition to CISA’s recommendations, Herjavec Group also advises:

  • Follow best practices to limit opportunities for credential loss or lateral movement
  • Incorporate consistent user security awareness training
  • Establish processes for reporting suspicious emails
  • Isolate suspicious systems until they can be remediated
  • Develop playbooks and orchestration to automate phishing detection, containment, and detonation where possible

Herjavec Group's Threat Management & Incident Response team is available for further support and consultation. If you need Incident Response support or Security Expertise, please connect with us.

About Herjavec Group

Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Advisory Services, Technology Architecture & Implementation, Identity Services, Managed Security Services, Threat Management and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom and Canada.

Stay Informed

Follow us on Twitter

Connect with us on LinkedIn