United Nations Targeted With Emotet Malware Phishing Attack
By Lawrence Abrams
Published: 2020-01-14 · Archived: 2026-04-05 16:21:43 UTC
Pretending to be the Permanent Mission of Norway, the Emotet operators performed a targeted phishing attack against email
addresses associated with users at the United Nations.
Yesterday, the Emotet trojan roared back to life after a 3-week vacation with strong spam campaigns that targeted countries
throughout the world.
While Emotet's normal spam campaigns pretended to be fake accounting reports, delivery notices, and invoices, the malware
operators had something special in mind for the United Nations.
https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/
Page 1 of 5

0:00
https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/
Page 2 of 5

Visit Advertiser websiteGO TO PAGE
Impersonating the "Permanent Mission of Norway"
In a sample of a phishing email shared with BleepingComputer by email security firm Cofense, the Emotet operators
pretend to be representatives of Norway at the United Nations in New York, who state that there is a problem with an
attached signed agreement.
According to Cofense, this phishing campaign had "highly specific targeting" and was seen being sent to 600 unique email
addresses at the United Nations.
The email states that the representatives of Norway found a problem with a signed agreement and that the recipient should
review it to learn the issue.
Emotet spam targeting the United Nations
The full text of this targeted phishing email can be read below:
Hi,
Please be advised that the new problem has been appeared today.
See below our info for this question.
Please let me know if you need anything else.
Regards
Permanent Mission of Norway to the United Nations in New York
Attached to these emails is a Microsoft Word document that starts with "Doc_01_13" that pretends to be the signed
agreement being sent by the Permanent Mission of Norway.
While there was room for Emotet to send a more convincing Word document template, they instead sent the same one that is
used for all of the malspam campaigns.
https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/
Page 3 of 5

This template pretends to be a warning that the "document only available for desktop or laptop versions of Microsoft Office
Word." It then prompts the user to click on 'Enable editing' or 'Enable Content' to view the document.
Malicious Email Attachment
If a user opens the document and enables its content, malicious Word macros will be executed that downloads and installs
Emotet on the computer.
Emotet will now run in the background while sending out spam emails to other victims.
Eventually, Emotet will also install other payloads such as Trickbot, which would be when things get really bad for the
compromised UN workstation.
Emotet can lead to a full network compromise
When Emotet is installed on a machine, one of the malware payloads that is invariably installed is the TrickBot trojan.
The TrickBot trojan will attempt to harvest data from the computer such as cookies, login credentials, files from the
computer, and possibly spread to other computers on the network.
After the harvesting of information is finished, TrickBot is known to open a reverse shell back to the operators of Ryuk
Ransomware.
These operators will proceed to infiltrate the network, gain administrator credentials, and ultimately deploy Ryuk so that it
encrypts every device on the network.
This is particularly worrisome for a UN network as ransomware operators are known to steal data before encrypting files,
which could expose extremely sensitive diplomatic or government information.
While there are no known victims of this phishing attack, this targeted attack illustrates that bad actors are constantly trying
to get access to the networks of organizations and government networks.
This is why it is imperative for all employees regardless of what sector they work in to be properly trained on how to
recognize phishing emails.
Furthermore, before opening any attachments and enabling macros, users should notify their network administrator and
contact the alleged user who sent the email to confirm its authenticity.
BleepingComputer has contacted the Permanent Mission of Norway about this attack but has not heard back at this time.
https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/
Page 4 of 5

Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the
other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic
questions for any tool evaluation.
Source: https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/
https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/
Page 5 of 5