Emotet Malware being spread via email

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

2:00pm, 7 September 2020

TLP Rating: Clear

Emotet Malware being spread via email

Updated at 1.50pm 8 September 2020

CERT NZ is aware of increased Emotet activity affecting New Zealand organisations. Emotet is an advanced, self-propagating and modular Trojan, originally developed as a banking Trojan. More recently it’s being used as a distributor of other malware or malicious campaigns, frequently resulting in the deployment of ransomware on the infected network. It uses a variety of methods to maintain persistence and evasion techniques to help avoid detection.

What's happening

Systems affected

Windows computers, networks and servers.

What this means

CERT NZ has seen an increase in Emotet activity in New Zealand, spreading via email. The emails contain malicious attachments or links that the receiver is encouraged to download. These links and attachments may look like genuine invoices, financial documents, shipping information, resumes, scanned documents, or information on COVID-19, but they are fake.

Emotet is designed to steal login credentials for email accounts configured on infected systems. The compromised credentials are subsequently passed to spam bots which send out large numbers of spam emails to further spread the malware. Or, they may steal information that’s in your mailbox, and use it to send emails from somewhere else. For example, they may use the content of an existing email conversation as a pretext to make the email look legitimate.

Emotet is also used to install other malware such as Trickbot and QBot onto a system. These may be used to provide access to attackers who carry out network compromise and data exfiltration, and often install ransomware such as Ryuk, Maze, Conti, or ProLock throughout a network.

What to look for

How to tell if you're at risk

Anyone can be targeted by Emotet, including individuals and businesses.

How to tell if you're affected

You may receive emails from people in your contact list advising that they’ve received phishing emails from you containing malware. As malware continues to evolve, anti-virus software does not always detect infections. The following sources provide information which may help you identify infected computers in your environment:

What to do

Prevention

As Emotet is spread via documents with malicious macros, it is important that you take the following measures:

Mitigation

If your system has been affected by the Emotet malware, we recommend that you:

More information

If you require more information or further support, you can submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ External Link

For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384

Further links:

Bleeping Computer -

Darktrace Blog -