Number: AL20-024
Date: 8 October 2020
AUDIENCE
This Alert is intended for IT professionals and managers of notified organizations.
PURPOSE
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
OVERVIEW
Since July 2020 the Cyber Centre has been aware of an increase in malicious activity associated with Emotet malware campaigns. Emotet has been frequently observed working in tandem with Trickbot and Ryuk malware in a persistent attempt to compromise computer systems within Canada.
DETAILS
Throughout 2019 and 2020, the Cyber Centre has received reports in which hundreds of Canadian victims across a wide range of government and commercial sectors, police services, and education providers have been compromised by Emotet. In addition, both the Cybersecurity and Infrastructure Security Agency (CISA) [1] and the Australian Cyber Security Centre (ACSC) [2] have issued publications on Emotet malware, both noting similar observations and a recent increase in activity.
Emotet is an advanced botnet that has infected hundreds of thousands of systems worldwide. Once a system is infected by Emotet, additional malware, including Trickbot and Ryuk [3][4] may be implanted on the system resulting in data exfiltration or attempts to extort the victim. Emotet malware can be spread through untargeted bulk spam emails (such as shipping notifications, or “past-due” invoices), as well as what appear to be targeted malicious emails (spear phishing).
Targeted emails are particularly effective as they appear to come from a trusted source, often from someone with whom the email recipient has recently been in communication. Furthermore, CCCS has received reports in which Emotet email campaigns have been observed to be leveraging both ‘thread hijacking’, a technique where malicious emails are inserted into existing email threads, and using password-protected zip files to avoid detection by network defenses [5]. These techniques result in convincing messages that an unaware recipient may believe to be trustworthy and encouraged to download malware by opening an attachment (a macro-enabled Microsoft Word document or PDF) or clicking a malicious link.
SUGGESTED ACTION
The Cyber Centre recommends that organizations and individuals:
- Follow the Cyber Centre’s guidance to stay cybef safe (https://www.getcybersafe.gc.ca).
- Scan all incoming and outgoing e-mails to detect threats and prevent executable files or macro enabled documents from reaching end users.
- Always exercise caution when receiving an unexpected email or email reply containing an attachment or URL, even when from a trusted source. If the email seems unusual, contact the sender to confirm the authenticity of the attachment.
- Avoid enabling macros within a document received via email.
- Use anti-virus protection and ensure that it is diligently kept up to date.
- Implement architectural controls for network segregation and protection.
- Perform daily backups of all critical systems, maintain offline and offsite copies of backup media and periodically test data restoration processes from backups, including key databases to ensure integrity of existing backups and processes.
- Ensure operating systems receive the latest patches.
- Further advice and guidance is available within partner publications CISA Alert AA20-280A [1] and ACSC Advisory 2020-017 [2].
Should organizations identify associated activity to that described in the referenced Advisory, recipients are encouraged to contact the Cyber Centre by email (contact@cyber.gc.ca) or by telephone (1-833-CYBER-88 or 1-833-292-3788).
REFERENCES
[1] CISA Alert AA20-280A Emotet Malware:
https://us-cert.cisa.gov/ncas/alerts/aa20-280a
[2] ACSC Advisory 2020-017 Resumption of Emotet malware campaign:
https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-017-resumption-emotet-malware-campaign
[3] Cyber Centre Alert AL19-202:
https://cyber.gc.ca/en/alerts/ryuk-ransomware-campaign
[4] Active Spam Campaigns Leveraging EMOTET Malware
https://cyber.gc.ca/en/alerts/active-spam-campaigns-leveraging-emotet-malware
[5] Bleepingcomputer Emotet double blunder: fake ‘Windows 10 Mobile’ and outdated messages
https://www.bleepingcomputer.com/news/security/emotet-double-blunder-fake-windows-10-mobile-and-outdated-messages/
NOTE TO READERS
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.