France national cyber-security agency warns of a surge in Emotet attacks

The French national cyber-security agency warns of a surge in Emotet attacks targeting the private sector and public administration entities.

The French national cyber-security agency published an alert to warn of a significant increase of Emotet attacks targeting the private sector and public administration entities in France.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542.

In the middle-August, the Emotet malware was employed in fresh COVID19-themed spam campaign

Recent spam campaigns used messages with malicious Word documents, or links to them, pretending to be an invoice, shipping information, COVID-19 information, resumes, financial documents, or scanned documents.

Emotet malware is also used to deliver other malicious code, such as Trickbot and QBot trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).

According to the French national cyber-security agency, the number of Emotet attacks increased for several days, and the attacks are targeting almost any business sector.

Il convient d’y apporter une attention particulière car Emotet est désormais utilisé pour déposer d’autres codes malveillants susceptibles d’impacter fortement l’activité des victimes.https://t.co/R0wUX3PH7c— CERT-FR (@CERT_FR) September 7, 2020“For several days, ANSSI has observed the targeting of French companies and administrations by the Emotet malware,” reads the alert issued by the ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information).

“Special attention should be paid to this because Emotet is now used to deploy other malicious code that may have a strong impact on the activity of victims.”

ANNSI provided a list of recommendations to organizations to prevent Emotet attacks:

• Make users aware not to enable macros in attachments and to be particularly attentive to the emails they receive and reduce the execution of macros.• Limit Internet access for all agents to a controlled white list.• Disconnect compromised machines from the network without deleting data.• Generally speaking, removal/cleaning by antivirus is not a sufficient guarantee. Only the reinstallation of the machine ensures the erasure of the implant.• Send the samples (.doc and .eml) available to you for analysis to ANSSI in order to determine the IoCs that can be shared. This point is essential because the attacker’s infrastructure evolves frequently, access to recent samples is therefore essential.

The notorious Emotet went into the dark since February 2020, but after months of inactivity, the infamous trojan has surged back in July with a new massive spam campaign targeting users worldwide.

In August, the Emotet malware has begun to spam COVID19-themed emails to U.S. businesses after not being active for most of the USA pandemic.

Emotet botnet new document template (source Bleeping Computer)At the end of August, the botnet operators switched to a new template, named ‘Red Dawn,’ for the malicious attachments employed in new campaigns. 

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
});
}
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

The post France national cyber-security agency warns of a surge in Emotet attacks appeared first on Security Affairs.