Emotet takes spam to a new level. The Trojan also owes its great “success” to its sophisticated spread-tactics.

Emotet replicates itself like a worm and spreads itself using stored contact information and email histories. Not only does it use known names and email addresses, but it even hijacks current email histories. Infected emails therefore also come as an (apparent) response to an existing thread, with a familiar subject, “real” content and realistic sender data. Other campaigns send invoices, payment reminders or complaints. One of the most recent campaigns referred to Snowden’s latest book – the attackers are always trying to trap the recipients with new themes.

If not with foreign names or mail addresses, one should get suspicious at the latest with unexpected attachments (gladly word documents with activated macros or PDFs), links, scripts (please always block auto scripts!) or data exchange platforms (DropBox, One-Drive…).

Security Tip 1#: Awareness

Ask yourself with each email: Do you know the sender and expect a message with attachment, link or script?

• No? Do not open the document or click on the link!
• Yes, the sender name is known and the files or links match the displayed conversation? If in doubt, ask the sender before opening or clicking.

One thoughtless click and the malicious code is executed, more malware is downloaded and distributed. The naked eye is quickly overwhelmed by the tricks of the “bad guys”, security expert Benjamin Paar says: “Some URLs look familiar at first glance, but may have an inconspicuous bug built in. For example, the domain  www.lKARUS.at can stand behind www.LKARUS.at* if the big i is almost imperceptibly exchanged for a small l. This is a common, extremely mean and hard to find method, usually not recognizable without machine support.”

Emotet rages worldwide and nationwide, we also look at tailor-made campaigns for Austria and Germany. Companies, authorities and private individuals are equally at risk. In addition to the obligatory technical security precautions (keeping software up-to-date, blocking malware protection on the end device as well as for email and web gateways, scripts and macros), vigilance and caution are helpful. Inform and train yourself and all employees specifically about the dangers and features, and regularly refresh this knowledge and memory.

Difficult to detect polymorphic virus

Originally designed as a banking Trojan, Emotet has evolved over the past five years into a botnet that also serves other attackers. The malware can install further (banking) Trojans and receive updates at any time. Passwords and data are read, for example from the browser, and user accounts are attacked.

Emotet is also a polymorphic virus, its code is usually changed three times a day, according to our observations. Virtual and sandbox environments are also detected, making it difficult to spot. Local virus scanners can thus reach their limits, and we recommend that you also secure your email gateways. Be sure to patch security holes in your hardware and software, as known system vulnerabilities are also used to spread the Trojan.

If it happens anyway, disconnect the infected computers from the Internet and all networks immediately. Clean the system and eliminate the vulnerabilities. Infected devices should be reinstalled; otherwise the spook will quickly start all over again. The IKARUS Support Team at +43 1 58995-400 or support@ikarus.at offers help with prevention and in case of infection.

*To avoid confusion, we have purchased the domain www.lkarus.at and redirected it to our website www.ikarus.at.