The UN was hit by a targeted cyberattack using one of the world's best-known strains of malware. The criminals used the Emotet malware to launch a phishing campaign to steal login information for United Nations staff and officials. Hundreds of workers were trapped in the attack, which targeted the UN headquarters in New York, as hackers devised an ingenious strategy to try to trap their victims.
Problem
The campaign was discovered by researchers from the security firm Cofense, who discovered that the hackers appeared to belong to the Norwegian Permanent Mission. The email said that Norwegian representatives had found a "problem" with an attached signed agreement, and that the recipient needed to examine the document to find out exactly what it was about. Opening the Microsoft Word attachment to the email launches a phishing document template with a pop-up warning that the "document is only available for desktop or portable versions of Microsoft Office Word." The victim is then invited to click "Activate Editing" or "Activate Content" to display the document which, once activated, launches malicious Word macros that download and install Emotet on the victim's device. Emotet ran in the background when spamming other victims, as well as downloading other malicious payloads, including the dangerous TrickBot Trojan, which itself has been linked to the notorious Ryuk ransomware. Through the dream computer