Emotet malware actively spread in Finland

Posted by & filed under Ειδοποιήσεις.

Emotet is a malware spread via email in the name of Finnish organisations. The objective of the malware attack is to steal information from organisations, infiltrate a targeted network and in some cases to launch a ransomware attack. The attack campaign has been active since August 17th 2020.

Target group of the alert

The Emotet malware is an infostealer. It steals emails, contact lists, passwords, payment information and other data on a computer system. A malicious email attachment can be a PDF document or an Office document that contains macros and infects a computer with malware. Emotet may also download other malware onto the computer, for example ransomware. Emotet instance can be modified from case to case and is not always identified by all anti-virus software. 

Emotet does not spread independently from one workstation to another, but sends stolen information to a command-and-control server. The stolen information contains often emails, the contents of which the malware exploits for spreading. It spoofs a new email reply to an existing conversation so that the message appears credible. The fake message contains a malicious attachment. The title and contents of the message may have been copied from the genuine messages. 

Possible solutions and restrictive measures

It is important to inform and educate your personnel about malicious attachments. You should instruct your personnel to not open suspicious attachments. In this case, messages with attachments may be highly credible. You should train your personnel to recognize fake sender information. Update databases for antivirus software and strengthen your organisation’s policy for delivering email attachments.  

  1. Warn your personnel about the malware threat regarding email attachments. Office macro files in particular are exploited for malware (.doc, .docx, .xls, .xlsx).
  2. Try to categorically prevent running macros in Office products. You should not click the “Enable content” button in any attachment without thinking. 
  3. Try to restrict running Powershell commands on users’ workstations.
  4. Update your databases for recognition of antivirus software and email filters. 
  5. In case you suspect an infection, control your outgoing traffic (number, volume, objects) for a possible data leak.
The information contained in this website is for general information purposes only. The information is gathered from NCSC-FI, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.