The Emotet Trojan, identified
by security teams in 2014, started out as banking malware meant to steal
sensitive data. Initially focused on the financial sectors, the malware later
morphed, adding spamming and malware delivery services.
Emotet’s latest phishing campaign targets 600 United Nations staffers and officials using Norway’s diplomatic presence in New York as bait.
Impersonating the
Permanent Mission to the United Nations in New York, the attackers sent a phishing
email stating that the Norwegian representatives have found a problem, with an
agreement named “Doc_01_13” also attached.
You can read the full
text of the Emotet phishing email below:
“Hi,
Please be advised that the new problem has been appeared today.
See below our info for this question.
Please let me know if you need anything else.
Regards
Permanent Mission of Norway to the United Nations in New York”
Similarities between previous Emotet attacks are clearly present in this new attack boasting recycled templates with poor grammar and documents of ‘high importance’.
So what happens if a
recipient tries to open the malicious document?
Readers are warned
the “document only available for desktop or laptop versions of Microsoft Office
Word”, and are prompted to click on either the ‘Enable Editing’ or ‘Enable
Content’ button to view the document.
Enabling the content immediately downloads and installs Emotet on the workstation. More concerning is that the malware will install other second-stage payloads including TrickBot Trojan, which gathers sensitive data such as login credentials, files and cookies. An attack like this poses a critical security risk and can fully compromise the network. Moreover, TrickBot paves the way for Ryuk, a type of ransomware that, if deployed, starts encrypting all data, rendering file recovery impossible without paying a ransom to the cybercriminals.
Seems like threat
actors are stepping up their game in 2020, aiming for more and more government
organizations and high-level targets. While proper training on spotting
phishing emails can help, it’s important for organizations to have email
security solutions that are able to both flag spearphishing attacks and
detonate potentially malicious attachments in sandboxed environments, before reaching
the employee’s endpoint.