A new wave of attacks from the remote-controlled Emotet Trojan is currently causing damage in Germany to an extent that cannot yet be estimated. Following messages and reports, already individual cases are documented, in which the damage goes into the millions!
In modern times, the Egyptian master builder of antiquity has given his name to the former Banking Trojan, which has been in mischief since 2014. For this purpose, the Trojan uses functions that help the software to bypass detection by numerous anti-malware and anti-virus products.
Do not run macros!
The Trojan uses worm-like functions to spread to other connected computers in the network and is also polymorphic – i.e. it can change itself every time it is downloaded or executed, thus avoiding signature-based detection.
If a system is infected with Emotet, it not only tries to spread further in its network and download and distribute updates/further malware from C&C (Command and Control) servers – it also starts collecting data!
The Trojan collects specific user (logins, passwords) and communication details; who communicates with whom – and in the latest versions, the malware also spies out the contents of mail traffic.
From the information obtained in this way, which is sent to the C&C servers of the backers, these evaluate new targets and target persons, who are then specifically addressed with authentic emails (possibly also using fake sender information and mail headers) – partly with reference to current communication details.
The attachments of these mails contain file attachments that seem to fit the faked context of the mail, but actually only contain Emotet. The majority of the files currently appear to be in .DOC format (although there are also reports of occasional .PDF infections) – and want to run macros after opening with the associated word processor.
For the macros to run, the user’s consent is usually required – but BSI, LKA, and the CERT-Bund report in agreement, a number of the newly attacked targets allow the execution of the macros without hesitation.
“In our opinion, Emotet is a case of cybercrime in which the methods of highly professional APT attacks have been adapted and automated,” says BSI President Arne Schönbohm about the novel quality of the attacks.
If Emotet has established himself on a computer and the surrounding network, he tries to exploit an old, but obviously still effective exploit, which was developed by the American NSA and used for years.
In principle, the safest protection against Emotet is still the oldest defense mechanism in IT. Do not execute files/macros of unknown origin. Why should an invoice sent to you – or an information letter – require the execution of macros?
In addition, of course, your clients and servers should also be provided with the latest patches and updates – additional anti-virus and anti-malware products supplement these security measures.