The entire computing system shut down after the attack

Dec 10, 2018 16:36 GMT  ·  By

Quincy City Hall was impacted by a cyber attack using the modular Emotet banking trojan that led to the entire email system being hacked and the email accounts used in an ongoing phishing campaign.

Emotet is a well-known malware strain, a malicious tool used by bad actors to compromise targets via spam emails to steal financial info such as cryptocurrency wallets and bank logins.

Also, Emotet can exfiltrate proprietary info and data, login credentials, as well as Personally Identifiable Information (PII), the leading cause behind identity theft attacks.

Emotet can also be used by bad actors as a transport conduit for other banking Trojans or, as it was the case during a September malware campaign, for Trickbot, a highly-customizable and modular information-stealing botnet which makes use of IP cameras and compromised routers as command-and-control (C&C) servers.

City's computing systems offline for five days

The people of the Massachusetts Norfolk County city were advised by a spokesperson from the mayor's office to be very careful when opening unsolicited email messages from @quincyma.gov addresses.

Moreover, they should be especially careful when it comes to viewing this type of emails given that they might contain malware droppers ready to download and execute Emotet trojan payloads.

As initially reported by The Patriot Ledger, Chris Walker, a spokesperson for mayor's office stated that "Between Wednesday, Nov. 21 and Sunday, Nov. 25, the information technology department shut down all city servers and computers to clear out the virus. Emails and the city website were down for the holiday weekend."

Subsequently, during those five days, the Quincy City Hall's IT department cleaned every computing system on the network making sure that every one of them was cleaned adequately of any malware traces.

Multiple Emotet malware campaigns active during the past few months

Although the Emotet banking trojan was removed from the City Hall's computing systems, the phishing campaign might still be active with some emails reaching the town's people.

"The virus has been neutralized, but there are still some lingering issues - symptoms - that are still filtering their way through the system and being worked on by IT," added Walker.

Near the end of November 2018, Cofense Intelligence observed multiple campaigns distributing an upgraded version of the modular and extremely dangerous Emotet banking Trojan, now also capable of using stolen email templates to impersonate "major US financial institutions."

Furthermore, the new Emotet strain also features the ability of "enabling the theft of up to 16KB of raw emails and threads" for boosting its masters' social engineering toolset, for allowing the Trojan to steal phishing templates, or for selling the collected data to any interested party.