Increase in Emotet Activity After Return This Summer

Summary

After a return to the cyber threat scene this summer following a months-long hiatus, the threat actors behind the Emotet trojan continue to increase their activity, with a large uptick occurring since the beginning of September. Based on information from the NJCCIC’s email security solution, threat actors are attempting to deliver Emotet-laden emails to NJ State employees at a significant rate, consistent with reporting from France, Japan, and New Zealand . Phishing email themes associated with this campaign vary; however, many of the emails sent to NJ State employees referenced past due payments or included the recipient’s first and last name in the subject line. Several countries reported that the recent attacks were launched from compromised email accounts in which the operators utilized previous email threads to send malicious emails to known contacts. The emails contained malicious Word or ZIP files, which are used to deliver the Emotet trojan. For additional information on recent Emotet campaigns, please review the ZDNet article.

Recommendations

The NJCCIC recommends organizations implement a defense-in-depth cybersecurity strategy that includes an endpoint detection and response solution, email security gateway, user awareness training, and a comprehensive data backup plan. As Emotet is a sophisticated trojan that easily spreads across a network and is often used to download additional malware, if an infection is suspected, the NJCCIC recommends disconnecting devices from the network and investigating them for signs of compromise. We encourage reimaging any infected devices.