Site icon Emsisoft | Cybersecurity Blog

Emotet trojan is back with a vengeance

Emotet trojan is back with a vengeance


Emotet is back. The infamous banking trojan has been around in one form or another for years, but now it’s back and more deadly than ever.

After a short period of downtime in early October 2018, Emotet has reappeared, complete with a new mass email-harvesting module that can be used to carry out more deceptive email attacks.

What is Emotet?

Emotet is a trojan that is infamous for its modular architecture and ability to spread itself quickly and effectively. While it’s technically considered a banking trojan, Emotet is more commonly used as a dropper for other types of malware, such as TrickBot and Zeus Panda Banker, among others.

Emotet has been a persistent thorn in the sides of consumers and organizations for years. In July 2018, the United States Computer Emergency Readiness Team issued a security warning noting that Emotet infections had cost state, local, tribal, and territorial governments up to $1 million per incident to resolve.

How does Emotet infect your system?

Emotet spreads via infected files that are distributed in mass malicious mail campaigns. It’s important to note that these emails are not simple, easily identifiable, typo-laden phishing emails. They are sophisticated and have been carefully crafted to look like they have been sent from a legitimate financial organization. As BleepingComputer reported, some Emotet emails even contain links that have managed to fool Proofpoint’s URL Defense, a scanning service that verifies the legitimacy of a link.

The emails typically contain instructions telling the recipient to enable macros in an attached document or visit a malicious site hosting a download link. Once the recipient completes the instructions, Emotet is installed and activated on the system, and may launch additional payloads. New builds of Emotet are constantly being released to make it difficult for signature-based antivirus software to detect the threat.

Who has been affected?

The latest Emotet campaign began in early November. The actors seem to be targeting mostly English and German-speaking users, with the U.S., the U.K, Turkey and South Africa among those who have been most affected.

This latest iteration of Emotet features a new module that expands on the trojan’s ability to harvest your contact lists and account credentials. Previous modules relied on the Outlook Messaging API to steal contact lists, but the new module is much more thorough and can harvest data from the subject line and body of any email you have received in the last 180 days. The module can be activated in any system that has been infected with Emotet, which means the data of tens of thousands of emails has probably been harvested over the past few weeks.

What can you do to prevent Emotet infection?

One of the most effective ways to reduce the risk of getting infected with Emotet is to keep macros disabled on your system. Macros are small scripts that can be used to automatically execute malware when you open an attachment. By default, macros are disabled in Microsoft Office, but malware authors will do everything they can to get you to enable them. Unless you have very good reason to enable macros, your best bet is to leave them disabled. And never, ever enable macros if prompted to do so by a document you received via email.

To check your current macro settings in Microsoft Office, click:

File > Options > Trust Center > Trust Center Settings > Macro Settings

Looking beyond macro settings, there are a number of other things you can do to protect yourself against Emotet and other email scams. Some of the most effective include:

For more information, be sure to check out our phishing protection and email attachment malware guides.

Emsisoft Endpoint Protection: Award-Winning Security Made Simple

Experience effortless next-gen technology. Start Free Trial

Have a good (malware-free) day!

Exit mobile version