Emotet malware campaign back in action

By Dylan Bushell-Embling
Tuesday, 03 November, 2020

Cybercriminals are engaged in a sustained campaign targeting the Australian healthcare sector, according to the Australian Cyber Security Centre (ACSC).

In a threat advisory, the Australian Signals Directorate unit warned it has “identified a sustained campaign by sophisticated cybercrime actors impacting the Australian health sector”.

Attackers are using the high-profile Emotet and TrickBot malware to spread ransomware variants to Australian healthcare providers.

The attack campaign is not limited to Australia, with the US Cybersecurity and Infrastructure Security Agency (CISA) recently issuing a similar cybersecurity alert.

The increase in activity targeting the health sector is similar to the activity detailed in the ACSC’s recent threat advisory warning of a resumption in the Emotet malware campaign aimed at a range of Australian targets, including critical infrastructure providers and government agencies.

Emotet is most commonly spread through malicious emails containing Microsoft Office attachments with infected macros. There have also been reports of PDF attachments containing Emotet, the ACSC said.

These macros are configured to download and install the Emotet malware when opened. Once present on a machine, Emotet attempts to spread within a network by brute-forcing user credentials and writing to shared drives.

Emotet also often downloads a secondary malware, called Trickbot, onto infected machines. Trickbot is a modular, multipurpose, command-and-control tool that allows attackers to harvest emails and credentials, move laterally within a network using exploits like EternalBlue, and deploy even more malware on infected networks.

A number of Emotet/Trickbot infections have resulted in ransomware attacks. Notably, there has been a recent attack on the Victorian health sector using the Ryuk ransomware variant.

Image credit: ©stock.adobe.com/au/Alexander Limbach