Emotet: France on alert for an intensification of attacks
Back in July after a sleep of several months, the Emotet threat attacks France. The Anssi publishes an alert bulletin.
In July, several cybersecurity companies alerted about a return of Emotet malware after a five-month hiatus. Today, the National Information Systems Security Agency is in turn alerting.
This means that France is the target of attack campaigns with the Emotet malware and its botnet of the same name for its distribution. Anssi thus evokes an upsurge in Emotet activity in France and calls on administrations and companies to be vigilant.
As a reminder, Emotet has evolved from a banking Trojan detected in 2014 to an infrastructure as a modular service for delivering a variety of malicious payloads. The group by the name of TA542 is believed to be behind it.
“ The early detection and treatment of an Emotet-related security event can prevent many types of attacks, including those by ransomware before encryption “, writes Anssi, which points in its alert bulletin to indicators of compromise.
It is advisable to pay particular attention to it because Emotet is now used to deposit other malicious code that could strongly impact the activity of victims.https: //t.co/R0wUX3PH7c
– CERT-FR (@CERT_FR) September 7, 2020
Emotet made a comeback this summer via phishing and malicious spam campaigns with emails containing a URL or attachment for tricked Word documents, with the macro method for executing the payload, then contacting with command and control servers.
The Anssi emphasizes in particular phishing with a technique of diverting the threads of e discussion of emails. When an employee’s email box is compromised, Emotet exfiltrates the content of certain emails. “ Attackers can then produce phishing emails in the form of a response to a chain of emails exchanged between the employee and partners of the entity for which he works. ”
The Anssi alert is in any case probably no coincidence. For example, the Interior Ministry recently temporarily blocked files in .doc format due to an email attack campaign.