Emotet is one of the most persistent and dangerous cyberthreats around today. According to the latest statistics, there are over 30,000 variants of this botnet, which was first seen as a banking Trojan back in 2014. Last year, Emotet represented 45% of the URLs that were used to download malware. According to Any.Run, a public service that allows interaction with malware running in a sandbox for analysis purposes, Emotet was the most prevalent malware of 2019. In fact, it was used in some of the ransomware attacks that shook the cybersecurity world in 2019.

Emotet hits the United Nations

After a three-week break, in which the botnet showed no signs of activity, Emotet returned to its malspam campaigns on January 13. While the emails that the botnet usually sends try to pass for accounting reports, delivery notifications, or invoices, the Emotet operators had prepared something special for the United Nations (UN).

As many as 600 email addresses were hit in this targeted attack, which sent emails claiming to be from the Permanent Mission of Norway at the United Nations in New York. The email claimed that there was a problem with an agreement that had already been signed, and which was attached to the email.

If this document is opened, it warns that the “document [is] only available for desktop or laptop versions of Microsoft Office Word”, and that the victim needs to click “enable editing” or “enable content” to be able to see the document. If the user follows these instructions, the malicious macros in the Word document run, downloading and installing Emotet. Once this happens, the botnet runs in the background, sending spam emails to other victims.

Installation of Emotet is not the end

Once Emotet has been installed on a computer, one of the malware payloads that is invariably installed is the Trojan TrickBot. This Trojan’s goal is to gather data such as cookies, credentials, or files from affected computers. It may also try to move from one computer to another in order to spread the infection.

One it has gathered the information it was seeking, TrickBot opens a reverse shell to the operators of the ransomware Ryuk. With this shell, the Ryuk operators can infiltrate the network, gain administrator controls and deploy Ryuk in order to encrypt all devices on the network.

A botnet that can adapt

This botnet’s modus operandi is proof of cybercrime’s constant capacity to evolve. Emotet doesn’t settle for using the same email template for all of its potential victims; it adapts, as we have seen in this case. Other versions of Emotet emails that have been seen are invitations to a Halloween party, to a Christmas party, or to a climate change demonstration.

Don’t become the next victim of Emotet

The fact that a global organization such as the UN has been hit by attempts to infect it with Emotet demonstrates the reach of this botnet. This is why it is so important for any company that wants to protect its cybersecurity to take steps to avoid becoming the next victim of Emotet.

Employees tend to be the weakest link in the cybersecurity chain. This is why it is so important to train them in how to recognize phishing emails, which may contain more than just malware, and could lead to BEC scams and other kinds of fraud. In fact, According to Verizon, 93% of data breaches start with a phishing attack, and 95% of all cyberattacks on corporate networks stem from a phishing email. More important still is to insist on the importance of not opening attachments, which can infect the organization’s entire network.

Another vital measure to protect against this kind of advanced threat are cybersecurity solutions. Panda Adaptive Defense has technology specifically developed to detect this banking Trojan. “It is important to bear in mind that, without advanced protection, the client will be infected,” says Pedro Uría, director of PandaLabs.