Critical infrastructure providers, government agencies hit by Emotet

The Australian Cyber Security Centre (ACSC) says that it has received “dozens of confirmed reports” of Emotet malware across a variety of organisations, including critical infrastructure providers and Australian government agencies.

The ACSC, which is part of the Australian Signals Directorate, said it was investigating a widespread campaign involving the email-borne Trojan.

Most infections involve Microsoft Office attachments, typically Word documents, but there have been reports of PDFs being used to spread the malware, an ACSC advisory said.

The campaign has used both “highly targeted” and bulk spam emails, the advisory said.

“Upon infection of a machine, Emotet attempts to spread within a network by brute-forcing user credentials, and writing to shared drives,” the document said.

“Trickbot is a modular multi-purpose command-and-control (C2) tool that allows an attacker to harvest emails and credentials, move laterally within a network using exploits like EternalBlue, and deploy additional malware to the infected network.”

The ACSC said it’s aware of 19 successful Emotet infections. In one case, the malware provided a foothold for a Ryuk ransomware attack on the Victorian health sector.

Earlier this month, the Victorian government revealed details of a ransomware outbreak that affected services in the Gippsland Health Alliance and the South West Alliance of Rural Health.

As a result, hospitals isolated and disconnected a number of systems to prevent the ransomware from spreading. That led to some patient record, booking and management systems temporarily being switched off.