The National Cyber Security Centre SK-CERT warns — EMOTET is active again

The National Cyber Security Centre SK-CERT warns against the resumption of activities of a recently dismantled EMOTET botnet. Since we experienced incidents related to EMOTET botnet also in Slovakia in the past, it is very likely to expect this botnet to reappear in the Slovak cyberspace as well.

What is EMOTET?

EMOTET malware is considered to be the most expanded malicious software, using e-mails to spread malicious content. Once installed, it uses infected devices to spread additional spam and install malicious codes, such as Qbot and TrickBot.

In the past, EMOTET built up a wide infrastructure. It was also a gateway for other attackers to whom EMOTET operators sold ransomware distribution services (such as Ryuk, Conti, ProLock, Egregor, and so on). 

EMOTET has now resumed its activities through the infrastructure used by TrickBot malware.

Current IOC

Along with the information on resumed activities of EMOTET botnet, a list of IOC has been published:

Command-and-Control (C&C) servers:

Regularly updated lists of C&C servers are available at the following links:

https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt

https://feodotracker.abuse.ch/browse/emotet/

MD5 file hashes

56688abc927a0aa9e9fffe1acfe5fa86

579333349009e0644947cf60751e0aae

eb1493acf69f2ea72cbd800bcee6f1aa

13b09350d8748cce048dfae731a2092f

Recommendations

The National Cyber Security Centre SK-CERT (hereinafter referred to as SK-CERT) recommends the following for system and network administrators and security experts:

  • check the presence of the above IOC on security devices and in monitoring;
  • block and monitor communication with C&C servers on security features;
  • educate staff about possible phishing campaigns spreading EMOTET together with recommendations on how to proceed if a suspicious e-mail is received;
  • maintain server, network and user infrastructure updated as EMOTET may exploit known vulnerabilities;
  • in case of a positive occurrence of the above IOC in your infrastructure, contact SK-CERT at incident@nbu.gov.sk together with a detailed description of the incident.

For standard users, SK-CERT recommends the following:

 

  • keep your devices updated. EMOTET can rely on both current and older vulnerabilities;
  • follow the basic principles of cyber hygiene:
  • do not open unverified messages and messages from unknown users;
  • do not open suspicious attachments (even in familiar formats such as .pdf/.docx and so on);
  • disable macros in documents;
  • do not open suspicious URLs;
  • if e-mail applications are used, disable the attachments preview function;
  • in case of suspicion, verify the content of the message with the sender in a different way (by phone, in person);
  • never respond to messages requesting any personal and sensitive information (login names, passwords, payment details);
  • backup your data on a regular basis; the best way is to make offline backups on data-storage devices.

« Späť na zoznam