The malware Emotet, which was thought to have been defeated at the beginning of the year, is back in circulation. We have summarized the most important questions and answers about the return of Emotet for you and get to the heart of how you can protect yourself from the malware.
What happened?
On November 15, the world of cybersecurity was shaken by the news that the notorious Emotet malware was circulating again about half a year after it was destroyed. In the past, Emotet was considered the most widespread malware, spreading mainly via spam campaigns and infected attachments of phishing emails.
What exactly is Emotet?
As recently as last year, the notorious malware topped the “Global Threat Index 2020” as the most dangerous malware. The malware first appeared in June 2014 and was primarily used to attack the banking sector.
The perfidious thing about Emotet is that the malware often acts as a door opener for the installation of further malware. The software is not only capable of gaining unauthorized access to data, but is mainly used as a downloader for other malware variants such as TrickBot and IcedID. Originally used as a banking Trojan (spying on access data for online banking), Emotet has recently served more as a spreader of other malware. The program used various methods and evasion techniques to remain operational and undetected.
Why was Emotet considered defeated?
At the beginning of the year, German law enforcement agencies, among others, announced the destruction of the Emotet network: The infrastructure of the malware was destroyed, servers were confiscated. Only harmless updates were carried out until an Emotet module was deployed on April 25, 2021, which completely removed the malware from infected systems.
What is the status today?
The masterminds of Emotet have now begun to resume their operations. Systems already infected with TrickBot began to install new files from the Internet. Both automated and manual analyses revealed that the files were new Emotet variants. The new versions have many similarities with past Emotet programs, but the encryption and certificates to secure communication have been slightly changed.
What are the risks of Emotet for my company?
Emotet is known for so-called dynamite phishing. Deceptively real phishing emails with personalized content designed to trick targets into opening attachments are characteristics of Emotet campaigns. The phishing e-mails are so well camouflaged that they sometimes imitate colleagues or business partners as senders. It is particularly tricky that past messages of the targeted persons are quoted in the phishing emails. The Emotet emails can thus be perceived by the recipients as a response to previously sent emails.
The BSI is already warning against broad-based phishing campaigns, as they were already observed last year. Companies and authorities are at high risk, especially due to the additional installation of further malware by Emotet.
Attention! The sending of the Emotet spam emails has already begun. Currently, the malware is distributed to potential victims in the form of *.docm and *.xlsm and password-protected ZIP attachments.
What can I do?
The list of IP addresses is available here: https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt. Please note that the utmost caution is required when handling these IP addresses. If you’re not sure what to do with these addresses, contact our team. We are happy to support you.
