Emotet distributed with emails posing as German authorities, BSI warns

BSI, Germany’s federal cybersecurity agency warns of an active malspam campaign that distributing the infamous Emotet banking Trojan.

Germany’s federal cybersecurity agency BSI is warning of an active malspam campaign that aims at distributing the Emotet banking Trojan.

The malicious messages camouflaged to look like messages delivered by German federal authorities. According to the BSI, attackers have already infected with the Emotet banking Trojan several of federal administration authorities.

“Currently, increasingly spam – mails sent several federal agencies with malicious attachments or links in their names. The Federal Office for Information Security ( BSI ) calls for special caution and warns against opening these emails and links.” reads the security alert published by the BSI. “Several confirmed Emotet infections in federal administration authorities have been reported to the BSI in the past few days.”

BSI is currently investigating other infections and is working with all concerned German authorities to mitigate the exposure to the threat.

Fortunately, authorities were able to detect the threat and cleaned up the infected systems.

Experts warn that Emotet spam messages arrive at the victims as replies to already existing email conversations to trick them into thinking that they are legitimate messages.

The BSI recommends users to be vigilant on suspicious messages that could include various inconsistencies such as misspelled words and out of place formatting.

“For this purpose, the sender name should be checked carefully, not just the displayed name. The mail should be checked carefully for inconsistencies. If in doubt, you should clarify by telephone with the alleged sender whether an email was actually sent by the sender.” concludes the report. “In addition, the execution of macros when opening Office documents should be avoided and at best prevented centrally.”

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542.

In 2019, security experts haven’t detected any activity associated with Emotet since early April, when researchers at Trend Micro have uncovered a malware campaign distributing a new Emotet Trojan variant that compromises devices and uses them as Proxy C2 servers.

Emotet re-appeared on the threat landscape in August 2019, with an active spam distribution campaign. At the time, Malwarebytes observed the Trojan started pumping out spam, spam messages initially targeted users in Germany, Poland and Italy, and also the US. The campaign continues targeting users in Austria, Switzerland, Spain, the United Kingdom, and the United States.

The researchers observed hundreds of thousands of messages were sent as part of this distribution effort.

In November, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) warned businesses and netizens of Emotet and BlueKeep attacks in the wild.

Pierluigi Paganini

(SecurityAffairs – Emotet Trojan, BSI)

[adrotate banner=”5″]

[adrotate banner=”13″]

Share On