Scam of the Week: Fake Invoices Scam Spreads Emotet Malware

February 21, 2020 10:36 am Natasha Deeney Emotet malware

Just weeks after Emotet returned with a fake extortion email campaign, it appears that the prolific malware is back with a vengeance. In its latest attack, the malware turned botnet shows no signs of slowing down with attacks now launched against financial institutions. 

Originally designed as a banking malware that attempted to steal sensitive and personal information, the trojan was first identified by security researchers in 2014. Since then, later versions of the software have seen the addition of spamming and malware delivery services. 

Due to its highly destructive potential, Emotet was the subject of a US-CERT security notice in July 2018. Last year, it accounted for almost two-thirds of malicious payloads delivered in phishing attacks

This time, the notorious botnet has turned its attention to targeting banks and financial institutions in the US and the UK, with attacks that not only steal sensitive financial data but also download and install additional malware, which leaves access for future attacks.  

Like previous Emotet campaigns, the malware is delivered via phishing emails that contain a PDF document with built-in malicious scripts. However, a unique feature of this campaign is that email subject lines are based around invoices, bank details, and other financial terms to attract the attention of employees in the finance sector. 

A sample of subject lines for this campaign include: 

  • Sales invoice account 
  • Your recent payment notice 
  • Your recent payment notification 
  • Invoice No Q7370 
  • Invoice/statement ready to view 

The scam starts with a spam email appearing to come from a legitimate or familiar organisation. Following the instructions in the document, the victim enables macros by downloading a PDF that has been disguised as an invoice. The Emotet payload is then installed and launched. Subsequently, this reports the successful compromise to its C&C server and it then receives instructions on which attack modules and secondary payloads to download. 

As soon as the device is infected, Emotet will attempt to spread to other devices on the network and scan through the victim’s contact lists to send out further malicious emails. With this backdoor access, hackers can then steal financial information, which can later lead to extortion, obtain credentials to other accounts, steal locally-stored cryptocurrency wallets and hold data in exchange for ransom. 

The surge in Emotet activity shows that it remains a major threat for many organisations and future campaigns are expected to become more devious and dangerous. 

How can you prevent Emotet infection? 

  • Use anti-virus software – Emotet has been highly successful in avoiding detection from many forms of anti-virus software solutions. However, it’s still vital to invest in a trustworthy anti-virus solution that uses behaviour blocking technology in addition to signature-based protection. 
  • Keep your software up to date with the latest security patches from Microsoft – Emotet will often take advantage of the Windows Eternal Blue Vulnerability. Regular patching will fix security vulnerabilities, remove outdated features and update drivers. 
  • As Emotet relies heavily on phishing emails, engaging Cyber Security awareness training will help to educate employees about how to effectively recognise and respond to phishing threats. 
  • Never click on links or download attachments from unknown sources. Emotet can’t get that initial foothold on your system or network if you avoid those suspect emails. 
  • Educate yourself and your users about creating strong passwords  
  • Use Two Factor-Authentication (2FA) – Two-Factor-Authentication adds an additional layer of security to the authentication process by making it harder for a hacker to gain access to a person’s device. In addition to a password, two-factor authentication requires a second piece of information to confirm the user’s identity. 
  • Block questionable files and attachments – Consider blocking attachments that are commonly associated with malware, such as .dll and .exe, and attachments that cannot be scanned by antivirus software, such as .zip files. 

Phishing is the number one cause of all cyber-attacks and continues to prove one of the easiest ways to steal valuable data and deliver ransomware. MetaPhish has been created to provide a powerful defence against these threats and enables organisations to find out just how susceptible their company is to phishing. Get in touch for further information on how MetaPhish can be used to protect your business.