January 15, 2020 – Reports are circulating that the United Nations has been struck with a major phishing malware attack called ‘Emotet.’ According to an article for Tech Radar:
The United Nations has been hit by a targeted cyber-attack that uses one of the world’s most notorious malware strains.
Criminals used the Emotet malware in order to launch a phishing campaign aimed at stealing login details for UN staff and officials alike.
Hundreds of workers were [targeted] in the attack, which focused on the UN headquarters in New York, with the hackers devising an ingenious strategy to try and trick their victims.
The campaign was uncovered by researchers from security firm Cofense, who found that the hackers pretended to be from the Permanent Mission of Norway.
The email said that the Norwegian representatives had found a ‘problem’ with an attached signed agreement, and that the recipient needed to review the document to learn exactly what it was.
Opening the email’s Microsoft Word attachment launches a spoof document template with a pop-up warning saying the ‘document only available for desktop or laptop versions of Microsoft Office Word.’
The victim is then prompted to click on ‘Enable editing’ or ‘Enable Content’ to view the document, which when activated, executes malicious Word macros that downloads and installs Emotet on the victim’s device.
Emotet would then run in the background while sending out spam emails to other victims, as well as downloading other malicious payloads, most notably the dangerous TrickBot trojan, which has in turn been linked to the notorious Ryuk ransomware. – Tech Radar
One has to wonder if there is a state actor behind such an attack.
#Emotet using O365 in their template is a great example of criminals using current events or trends to stay relevant. Users need to be increasingly vigilant. Learn the signs of a phishing email, and do your part to keep your org safe. #SecureGCDigital https://t.co/pJJKXLy3b6
— Simply Cyber (@cyber_simply) January 15, 2020
The United Nations has been hit by a targeted #cyberattack using #Emotet #malware in order to steal login details from UN staff & officials alike. The #cybercriminals concentrated their attack on the UN headquarters in New York. https://t.co/Xt8PljVwc5 via @TechRadarPro
— Arcserve (@Arcserve) January 15, 2020
The attack could be related to recent geo-political events.
According to Lawrence Abrams of Bleeping Computer:
Pretending to be the Permanent Mission of Norway, the Emotet operators performed a targeted phishing attack against email addresses associated with users at the United Nations.
Yesterday, the Emotet trojan roared back to life after a 3-week vacation with strong spam campaigns that targeted countries throughout the world.
While Emotet’s normal spam campaigns pretended to be fake accounting reports, delivery notices, and invoices, the malware operators had something special in mind for the United Nations.
In a sample of a phishing email shared with BleepingComputer by email security firm Cofense, the Emotet operators pretend to be representatives of Norway at the United Nations in New York, who state that there is a problem with an attached signed agreement.
According to Cofense, this phishing campaign had ‘highly specific targeting’ and was seen being sent to 600 unique email addresses at the United Nations.
The email states that the representatives of Norway found a problem with a signed agreement and that the recipient should review it to learn the issue.
When Emotet is installed on a machine, one of the malware payloads that is invariably installed is the TrickBot trojan.
The TrickBot trojan will attempt to harvest data from the computer such as cookies, login credentials, files from the computer, and possibly spread to other computers on the network.
After the harvesting of information is finished, TrickBot is known to open a reverse shell back to the operators of Ryuk Ransomware.
These operators will proceed to infiltrate the network, gain administrator credentials, and ultimately deploy Ryuk so that it encrypts every device on the network.
This is particularly worrisome for a UN network as ransomware operators are known to steal data before encrypting files, which could expose extremely sensitive diplomatic or government information.
While there are no known victims of this phishing attack, this targeted attack illustrates that bad actors are constantly trying to get access to the networks of organizations and government networks. – Bleeping Computer
Here is an example of what this kind of phishing scam email can look like:
These kinds of attacks most likely will continue to increase as more small time actors gain access to sophisticated tools. It is important to be up to date on the latest anti-virus software and to be aware of the latest kinds of scams being deployed.
This story is still developing, please check back for updates.