New Hampshire City Computer Network Damaged by Emotet Banking Malware

Officials from a city in the state of New Hampshire are saying that they spent over $156,000 to remove a piece of malware that attacked a city’s entire computer network. Reporters from the Portsmouth Herald stated that the Deputy City Manager for Portsmouth, NH filed an insurance claim because of how much damage the Emotet Trojan horse program did.

This is perhaps one of the more graphic examples of financial damage done to a single computer network by an inadvertently introduced cyberattack in the last few months. Emotet obtains financial information through arbitrary code execution on top of the network stack of a compromised machine.

Security experts first started to see problems as early as March 14. Users were claiming that a virus was sending out phony emails stamped with the addresses of city officials and other legitimate accounts in order to solicit money. They’re now stating that they’re monitoring the network to prevent other virii from spreading and have hardened it considerably otherwise.

That being said, Emotet is actually not a self-replicating virus per se but rather a malicious file that intercepts and logs outgoing network traffic sent from a browser. This leads to potentially sensitive data getting compiled to a single data stream, which can ultimately be used to crack into a victim’s bank account among other things. It has much more in common with the Feodo family of malware infections than it does with an average computer virus.

Austrian, Swiss and German computer scientists reported the malware’s first infections four years ago. The United States was the next country to get hit, and it seems like it must still be causing issues considering this recent outbreak.

Over time, Emotet has gotten much more sophisticated in how it attacks host machines. The most popular method has been to insert malicious resources and URL links in emails. These are often disguised as PDF attachments or invoices, which could possibly explain what happened to the network in Portsmouth.

Early American attacks involved malicious JavaScript files that got executed by victims to then infect the host system.

Regardless of which method gets used, the infection can often continue to spread in any case when people execute something they didn’t realize wasn’t what it initially appeared to be.

Kamil Anwar
Kamil is a certified MCITP, CCNA (W), CCNA (S) and a former British Computer Society Member with over 9 years of experience Configuring, Deploying and Managing Switches, Firewalls and Domain Controllers also an old-school still active on FreeNode.