Emotet is back - what action is needed now!
by Svenja Koch
The return of Emotet malware
In November 2021, the malware has made a comeback. Analyses by IT security experts have revealed that Emotet has been appearing more and more frequently as malware on systems in recent weeks. The malware is still comparatively rare. However, the current situation is still far from the extent of its spread as in 2018 to 2020. An analysis of the found version also shows that the malware has been further developed. The source code has similarities with the original version, so an assignment to the Emotet family is evident. However, the current variant has gained additional capabilities. For example, the malware still encrypts its data traffic with HTTPS but now uses a self-signed certificate.
In addition, other criminals are behind the malware. This can be seen from which the network that the sheep software communicates. A network is necessary for the Emotet malware to operate. The malware contacts this network after successfully infecting a system and reloads other malware, including encryption Trojans. The original network no longer exists because the investigating authorities controlled it in January 2021 and disabled it. Recent analysis shows that the new Emotet version uses the Trickbot malware's network.
How does Emotet work?
Emotet is injected as a macro virus into documents from the Microsoft Office family. Anyone who opens such a prepared document infects the system with malware. In doing so, it works as a classic loader, i.e., it directly loads further malware onto the infected system. This behavior is the real danger of infection. In this way, encryption Trojans and other malicious programs get onto the compromised computers or grant the attackers remote access and thus control over the system.
Among other things, the attackers target access data for online banking or encrypt the hard drive contents. This is followed by requests to pay a large sum via Bitcoin. Otherwise, the encryption Trojan deletes all the data on the hard drive, the blackmailers threaten. The malware is also capable of stealing passwords and accessing data. It is known that keyloggers connected to the Emotet network steal access data for online banking and passwords stored in browsers.
The Emotet malware gets onto the target systems via emails. These emails pose as messages from known senders and thus trick the recipients. The malware is dangerous mainly because of the very believable fake emails. This is also due to the special function the malware is equipped with to spread itself further. Through "Outlook harvesting," the malware reads the address books on the infected system and searches for email addresses. The malware then sends itself to these addresses. Thus, potential victims receive emails from known senders that they trust. This increases the risk that the victim will open the attached Office document in which Emotet is hidden.
How dangerous is Emotet malware currently?
Some IT security experts call Emotet the most dangerous malware in the world. The damage that this malware has caused in recent years is indeed enormous. At the same time, malware is still comparatively rare at the moment. However, this does not change the fact that Emotet malware poses a high risk. According to IT experts, this mainly affects users with Windows operating systems. Since the malware explicitly exploits weaknesses in Microsoft Office, users who use systems with Linux, macOS, or Android are safe according to current knowledge.
The German Federal Office for Information Security (BSI) has already issued a warning about the current situation. Here, the BSI points out the danger of a new wave of emojis. The Federal Office also believes that the criminals behind the malware will soon use additional attack vectors. For example, there are already the first findings of Emotet in packed ZIP archives, and emails with links leading to prepared pages are also within the realm of possibility for the malware to spread.
What makes Emotet so dangerous is its unpredictability. Malware reloading makes it impossible to predict what malware the attackers will use. Obvious attacks with encryption Trojans are among the potential impacts of keyloggers that steal passwords and credentials undetected.
What methods offer protection against the Emotet malware?
Adequate basic protection can already be achieved through generally known and standard IT security measures. These include keeping the operating system and all applications on the computer up to date. The security updates of the operating system and the up-to-dateness of the browser and the office platform are critical. It is also essential to use an up-to-date virus scanner that offers real-time protection. A well-thought-out backup plan is also necessary, especially for companies. With at least one backup physically separated from the network, a double data backup protects one's data from loss through encryption.
However, these measures do not provide absolute security against Emotet malware. In the past, it has been shown that not every virus scanner detects malicious code. Even an up-to-date operating system is no protection against infection. Therefore, every user is asked to act with absolute caution when opening emails. Attachments received in .xlsm (Microsoft Excel), and .docx (Microsoft Word) formats are particularly dangerous. Even if the email sender is known, it is crucial to check whether this person or organization sent the attachment before opening it. Currently, it is mainly these two file formats in which Emotet malware is hiding.
The macro vulnerability in Microsoft Office, which the malware exploits, is dangerous. Office automatically executes macros that are present in a document after the file is opened. This is also how the malicious code is executed. One way to protect against this is to disable macros. This is possible in the options of Word from Excel. In this way, users prevent the execution of malicious code hidden in macros of Office documents.
Another option is to refrain from using Microsoft Office if possible or open suspicious documents with another software first. LibreOffice, an open-source alternative, can also be used to open and edit Word and Excel documents. In this way, it is possible to check whether the content is relevant or whether the data originates from a criminal.
Another protective measure is the use of accounts that do not have administrator rights. In everyday use, it is not necessary to use the computer with full rights. Only for the installation of software, for example, administrator rights are required. This prevents the malware from installing itself.
It also makes sense not to store passwords in browsers and email programs. Instead, it is a good idea to use a central password manager. Such programs generally offer more security. In addition, the malware can read passwords from Outlook, Firefox, Thunderbird, and other browsers and personal information managers. This can be prevented by users not saving passwords in these programs.
IT security services that monitor activities in the network provide significantly better protection. Solutions that scan the network for unauthorized activity in real-time can identify when the Emotet malware contacts a command and control server and initiate appropriate countermeasures immediately - before major damage is done.
What to do if the computer is infected with Emotet?
If infection with Emotet malware is confirmed or suspected, the first step is disconnecting the affected system from the network. Moreover, in this context, it is crucial to refrain from online banking and similar services. Since Emotet can modify system files of the operating system, an infected system is no longer safe. Even a virus scan or the use of anti-malware software does not guarantee the restoration of security. For this reason, a new installation of the operating system is necessary. Other files on the system are also considered compromised. Therefore, it is required to restore them as well, usually via a backup. It is important that this backup was created before the infection and was then either physically separated from the compromised system or protected by write protection.
Conclusion
With Emotet, a well-known name from the world of malware has returned. This malware is symbolic of a trend that has been observed for several years. Cybercrime has become a permanent threat that affects companies, authorities, and private individuals alike. The fact that the Emotet malware brings with it a high potential for danger further exacerbates the situation. It is precisely the encryption Trojans, which are also associated with Emotet, that repeatedly make the headlines. Thus, it is no coincidence that news about companies or organizations whose activities come abruptly due to an encryption Trojan is piling up. It is essential to be aware of this constant threat situation. This applies to all users and responsible parties, from private users to decision-makers in the IT department. With suitable precautions and the use of appropriate security technology, one's network can be effectively protected against Emotet and other malware. As in most situations, prevention is the most potent weapon in the fight against cyberattacks.