Emotet spreads again

Emotet has started actively spreading again. Big business companies, government facilities, individuals — anyone can become a victim to this info-stealing, malware-downloading trojan.

According to BleepingComputer, USA, UK, Germany, Poland, and Italy have been seen targeted by this latest malicious email spam campaign that marks Emotet’s wakeup from its months-long slumber.

Innocent-looking emails carry an infection

Though Emotet’s email-based infections might not look very sophisticated, they’re very effective.

The emails have an attachment which is usually a Word document, but can be almost any mundane file. Sometimes, instead of an attachment, the emails have a download link. The infected files sometimes ask the user to enable macros using a fake warning like this:

Accept the license agreement

You can use Microsoft Word until Friday, September 20, 2019.
After that date, most features of Microsoft Word will be disabled.

To accept and start Word click Enable Editing and click Enable Content

Accept license agreement

The emails that are spreading this trojan are short and vague. They appear like replies to previous emails and they offer more details in the attached (infected) files.

The emails delivering Emotet are extremely convincing. One thing that helps is that they can be based on other emails that the victims receive. A trusted sender can be spoofed to make even cautious people slip. 

Once they do, there is a lot that can go wrong.

Emotet — info stealer and malware dropper

Emotet has been known since 2014 and done a lot of harm over the years, including hijacking people’s online banking accounts and delivering ransomware.

First, Emotet includes a module for spreading malicious spam from the infected machine. It has a botnet of zombie computers sending out spam. Zombie accounts are taken over by stealing their credentials and are forced to send compromised emails to their contacts list. The infected computers can also be used in DDOS attacks.

There is also a list of legitimate websites that have been infected and forced to spread the malware via drive-by downloads.

 Besides extracting saved passwords from the browser, email addresses and sender names from email client software, and sending that information to the criminals behind the trojan. 

It used to be a banking trojan and hijack online bank accounts, however, with the popularity of 2-factor authentication making that too difficult, another approach to making money had to be found.

Since then, Emotet started delivering other malware, including other banking trojans and file-locking ransomware. That’s Emotet’s new business model — taking a cut of the profits made by the malware that they deliver. The types of malware that Emotet is used to spread includes banking trojans like Trickbot and file-encrypting ransomware like Ryuk.

An attack back in 2018 that started with Emotet left a town of 100,000 without access to the Internet.

Stay safe against malware

There’s no sure way to avoid malware, but it’s usually those least protected who suffer the most often. So, it’s worth following best practices.

  • Strong passwords would stop Emotet from being able to guess them and gain access to important accounts.
  • Up-to-date software would be less vulnerable to drive-by downloads of malware.
  • Scanning each file received in email before opening it could help catch malicious macros used in them, especially if your anti-malware protection is being updated regularly.

Cybersecurity experts try hard to develop solutions that could detect Emotet reliably but that is difficult to do without also showing a lot of false-positive detections. So far, Emotet remains a serious threat to the privacy and security of individuals and organizations worldwide.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

Security Guides

Recent Comments