Emotet strikes again, targeting 600 United Nations personnel

The Emotet Trojan, identified by security teams in 2014, started out as banking malware meant to steal sensitive data. Initially focused on the financial sectors, the malware later morphed, adding spamming and malware delivery services.

Emotet’s latest phishing campaign targets 600 United Nations staffers and officials using Norway’s diplomatic presence in New York as bait.

Impersonating the Permanent Mission to the United Nations in New York, the attackers sent a phishing email stating that the Norwegian representatives have found a problem, with an agreement named “Doc_01_13” also attached.

You can read the full text of the Emotet phishing email below:

“Hi,

Please be advised that the new problem has been appeared today.

See below our info for this question.

Please let me know if you need anything else.

Regards

Permanent Mission of Norway to the United Nations in New York”

Similarities between previous Emotet attacks are clearly present in this new attack boasting recycled templates with poor grammar and documents of ‘high importance’. 

So what happens if a recipient tries to open the malicious document?

Readers are warned the “document only available for desktop or laptop versions of Microsoft Office Word”, and are prompted to click on either the ‘Enable Editing’ or ‘Enable Content’ button to view the document.

Enabling the content immediately downloads and installs Emotet on the workstation. More concerning is that the malware will install other second-stage payloads including TrickBot Trojan, which gathers sensitive data such as login credentials, files and cookies. An attack like this poses a critical security risk and can fully compromise the network. Moreover, TrickBot paves the way for Ryuk, a type of ransomware that, if deployed, starts encrypting all data, rendering file recovery impossible without paying a ransom to the cybercriminals.

Seems like threat actors are stepping up their game in 2020, aiming for more and more government organizations and high-level targets. While proper training on spotting phishing emails can help, it’s important for organizations to have email security solutions that are able to both flag spearphishing attacks and detonate potentially malicious attachments in sandboxed environments, before reaching the employee’s endpoint.