ACSC sounds warning over ‘undetectable’ malware threat


The Australian Cyber Security Centre (ACSC) has urged public sector agencies to exercise caution in response to a widespread malware campaign spreading across the country.

The infamous banking trojan, ‘Emotet’, considered by the US Department of Homeland Security among the most costly and destructive malware in existence today, is reported to have struck “dozens” of local businesses and individual users as well as bringing critical government infrastructure to a standstill.

The ACSC believes the Emotet trojan was behind the recent ransomware attack on the Victorian state healthcare sector, which for almost two weeks crippled backend systems across the state.

The malware is spread when unsuspecting email users open links or attached files (often appearing as normal or useful documents, such as pdfs or Word files) containing the malicious code. Once opened, hackers may gain access to and control devices or computer systems; the malware then forwards itself to users’ email contacts in an attempt to spread itself further.

Emotet-laden emails are often well disguised by cybercriminals, containing familiar letterheads, branding, and phrases designed to appears as a legitimate email, making them difficult for end-users to detect.

Common phrases or calls to action within emails are used to lure users to infected attachments, such as ‘I’ll just await your advice on this one’, or ‘Documentation is attached’ and ‘We very much appreciate your support’ – all of which have been detected by the cybersecurity agency.

ACSC head Rachel Noble said the cyber centre has issued Level 3 – Alert on its Cyber Incident Management Arrangements (CIMA) five-point severity scale, acknowledging the “scale of the campaign, and the risk of economic impact”.

“The ACSC is working closely with state and territory governments to limit the spread of this computer virus and to provide technical advice and assistance and to support organisations that are affected,” Nobel said.

In a statement, the ACSC said it has received dozens of confirmed reports of Emotet infection across several sectors, including critical infrastructure providers and government agencies.

First identified in Europe in 2014, Emotet has an infamous reputation within cybersecurity circles, widely used by hackers to gain financial information from compromised Windows PCs.

The first incarnation of Emotet was designed to steal bank account details by intercepting internet traffic. The trojan injects computer code into the networking stack of a Windows machine, allowing sensitive data to be stolen via transmission.

Today, Emotet is now widely used to spread secondary malware to infected machines, providing a “foothold in a network from which additional attacks can be performed”, the ACSC said. The virus itself served as a vector for the recent Ryuk ransomware attacks on the Victorian healthcare sector systems.

While early versions used a malicious JavaScript file, most now exploit macro-enabled documents to retrieve the virus payload from command and control (C&C) servers run by the attackers. 

The ACSC advises users to disable Microsoft Office macros, maintain their firewalls, and make sure they have an offline backup of all information.