10/7/2020 DHS warns that Emotet malware is one of the most prevalent threats today | Ars Technica

SUBSCRIBE SIGN IN

ON THE RISE —

DHS warns that Emotet malware is one of

the most prevalent threats today
US detects more than 16,000 alerts since July for nasty trojan that's hard to spot.
DAN GOODIN - 10/7/2020, 9:16 AM
Getty Images

Enlarge

The malware known as Emotet has emerged as “one of the most prevalent ongoing threats” as it
increasingly targets state and local governments and infects them with other malware, the
cybersecurity arm of the Department of Homeland Security said on Tuesday.

https://arstechnica.com/information-technology/2020/10/dhs-warns-that-emotet-malware-is-one-of-the-most-prevalent-threats-today/ 1/5
10/7/2020 DHS warns that Emotet malware is one of the most prevalent threats today | Ars Technica

Emotet was first identified in 2014 as a relatively simple trojan for stealing banking account
credentials. Within a year or two, it had reinvented itself as a formidable downloader or dropper that,
after infecting a PC, installed other malware. The Trickbot banking trojan and the Ryuk ransomware
are two of the more common follow-ons. Over the past month, Emotet has successfully burrowed
into Quebec’s Department of Justice and increased its onslaught on governments in France, Japan,
and New Zealand. It has also targeted the Democratic National Committee.

Not to be left out, US state and local governments are also receiving unwanted attention, according
to the CISA, short for the Cybersecurity and Infrastructure Security Agency. Einstein—the agency’s
intrusion-detection system for collecting, analyzing, and sharing security information across the
federal civilian departments and agencies—has in recent weeks noticed a big uptick, too. In an
advisory issued on Tuesday, officials wrote:

Since July 2020, CISA has seen increased activity involving Emotet-associated indicators.
During that time, CISA’s EINSTEIN Intrusion Detection System, which protects federal, civilian
executive branch networks, has detected roughly 16,000 alerts related to Emotet activity.
CISA observed Emotet being executed in phases during possible targeted campaigns. Emotet
used compromised Word documents (.doc) attached to phishing emails as initial insertion
vectors. Possible command and control network traffic involved HTTP POST requests to
Uniform Resource Identifiers consisting of nonsensical random length alphabetical
directories to known Emotet-related domains or IPs with the following user agent string
(Application Layer Protocol: Web Protocols [T1071.001]).

Emotet’s success is the result of a host of tricks, a few FURTHER READING

of which include: One of the most destructive botnets
can now spread to nearby Wi-Fi
The ability to spread to nearby Wi-Fi networks networks

A polymorphic design, meaning it constantly

changes its identifiable characteristics, making it hard to detect as malicious
Fileless infections, such as Powershell scripts that also make post-infections difficult to detect
Worm-like features that steal administrative passwords and use them to spread throughout a
network
“Email thread hijacking,” meaning it steals email chains from one infected machine and uses a
spoofed identity to respond to trick other people in the thread to open a malicious file or click
on a malicious link.

Below is a diagram showing some of the techniques employed by Emotet.

https://arstechnica.com/information-technology/2020/10/dhs-warns-that-emotet-malware-is-one-of-the-most-prevalent-threats-today/ 2/5
10/7/2020 DHS warns that Emotet malware is one of the most prevalent threats today | Ars Technica

CISA

Enlarge

In February, Emotet suddenly went dark, with no clear FURTHER READING

reason for doing so. Then in July it just as quickly There’s a reason your inbox has
returned. more malicious spam—Emotet is
back

Emotet attackers have been blasting out malicious

spam ever since. According to a separate blog post published on Tuesday, security firm Intezer said it,
too, is seeing a big increase, with 40 percent of the samples analyzed by its enterprise customers and
community users being classified as Emotet.

“In a world where everything is seemingly unpredictable, it does seem we can count on Emotet to
keep us on our toes,” Intezer researchers wrote. “That shouldn’t stop us from being more strategic in
how we adapt our approach to make it easier to identify this threat.”

READER COMMENTS 15 SHARE THIS STORY

DAN GOODIN
Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the
Associated Press, Bloomberg News, and other publications.

EMAIL dan.goodin@arstechnica.com // TWITTER @dangoodin001

https://arstechnica.com/information-technology/2020/10/dhs-warns-that-emotet-malware-is-one-of-the-most-prevalent-threats-today/ 3/5
10/7/2020 DHS warns that Emotet malware is one of the most prevalent threats today | Ars Technica

LGR's Clint
Basinger Reacts To
His Top 1000
YouTube
Comments

The F-35's next

tech upgrade

LGR's Clint Basinger Reacts To His How One

Gameplay
Top 1000 YouTube Comments Decision Changed
We searched LGR's most popular videos and picked the Diablo Forever
top 1000 comments based on number of likes, first
comments, and frequently asked questions. From
looking back on his earliest efforts to revisiting some of Unsolved Mortal
his biggest reviews and unboxing videos, we've woven Kombat Mysteries
together Clint's personal history with LGR - and captured With Dominic
his reactions to the whole thing. Thank you to YouTube Cianciolo From
user, naswinger for "The 7th Guest" gameplay footage. + More videos

← PREVIOUS STORY

Related Stories
Today on Ars

STORE CONTACT US NEWSLETTER SIGNUP

SUBSCRIBE STAFF Join the Ars Orbital Transmission
ABOUT US ADVERTISE WITH US mailing list to get weekly updates
RSS FEEDS REPRINTS delivered to your inbox.
VIEW MOBILE SITE
SIGN ME UP →

https://arstechnica.com/information-technology/2020/10/dhs-warns-that-emotet-malware-is-one-of-the-most-prevalent-threats-today/ 4/5
10/7/2020 DHS warns that Emotet malware is one of the most prevalent threats today | Ars Technica
CNMN Collection
WIRED Media Group
© 2020 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our
User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum
(effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy.
Your California Privacy Rights | Do Not Sell My Personal Information
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior
written permission of Condé Nast.
Ad Choices

https://arstechnica.com/information-technology/2020/10/dhs-warns-that-emotet-malware-is-one-of-the-most-prevalent-threats-today/ 5/5