The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has issued a warning about the return of Emotet malware, which poses a significant threat to the healthcare and public health (HPH) sector.
Emotet first appeared in 2014 and initially functioned as a banking Trojan; however, the malware evolved over the years and additional functionality has been added. Emotet is capable of data exfiltration and is used for credential theft, and the botnet of infected devices is offered to other cybercriminal groups under the infrastructure-as-a-service model to drop additional third-party malware payloads on infected devices. Emotet has been used to drop malware such as TrickBot, IcedID, Qbot, and Azorult, and ransomware variants such as Ryuk and BitPaymer.
According to Europol, Emotet is the world’s most dangerous malware and at its height, one in five organizations worldwide had at least one device infected with the malware. According to Malwarebytes, almost 80% of the malware downloaded to the computer systems of healthcare organizations are Trojans, and Emotet is the most common Trojan in attacks on the sector, accounting for 37% of all Trojan infections.
In January 2021, a coalition of law enforcement agencies in North America and Europe successfully disrupted the Emotet botnet infrastructure and deployed a wiper to remove the malware from all infected devices in April 2021; however, the cybercriminal group that operates the botnet – MUMMY SPIDER – has rebuilt its infrastructure and has started rebuilding the botnet. Emotet malware has been updated with a new loader, dropper capabilities have been enhanced, and there is new command-and-control infrastructure that includes 246 systems, with that number still growing.
Emotet is primarily delivered via phishing emails, although infections have occurred through the exploitation of vulnerabilities and brute force attacks. Email campaigns typically have Office attachments with malicious macros, although hyperlinks are also used in campaigns. Microsoft started blocking macros automatically in Office documents in February 2022; however, when content is enabled in documents and spreadsheets, macros will be allowed to run and will deliver the Emotet payload.
According to Proofpoint, the Emotet gang is working on new tactics, techniques, and procedures, including phishing emails that use OneDrive links, which email security solutions often mark as benign. Emotet is capable of self-propagation, hijacks message threads, and sends a copy of itself to contacts via email from an infected device, so emails distributing the malware may come from a trusted source.
Blocking Emotet requires a defense-in-depth approach to target the phishing emails that deliver the malware and block access to the websites where the Trojan is hosted. Antivirus software should be installed on all endpoints, and security awareness training provided to the workforce. Additional mitigations and recommended defenses, along with an analysis of the malware, can be found in the HC3 Emotet Threat Brief.