Main menu


Explanation of the threat of malware Emotet

Explanation of the threat of malware Emotet

An easy-to-understand explanation of the threat of malware "Emotet"

Malware "Emotet" that is becoming more common in the news. In this blog, I will explain the characteristics of Emotet and the reasons why it is regarded as dangerous.

What is Emotet?

Emotet is malware that has spread from malicious emails (attack emails) sent by malicious attackers.

It was featured in the media around the end of November 2019 and became widely known. In January 2021, it seemed that the threat of Emotet had disappeared due to the success of a large-scale countermeasure by the Europol, but it was confirmed that the activity resumed in November 2021, and since then, it has been in Japan. Emotet infections are on the rise.

Softbank is also increasing its vigilance, such as deciding to abolish the use of compressed files with passwords as part of measures against Emotet.

Emotet attack method

Distribution of Emotet is mainly via email.

The basic attack method is incorporated into files (mainly Word and Excel files) attached to malicious emails. The attached file contains a text that prompts the macro to be executed, and when the recipient does not notice it and clicks "Enable Content", the macro is activated and infects Emotet.

In Japan, there is a "scattering attack" in which a large amount of this malicious email is sent.

Since it is sent as if it were a legitimate email, there are many cases where the recipient is unaware that it is a malicious email and is led to infection. In addition, the infection methods are sophisticated and diverse, and the damage is expanding.

The reason why Emotet became so serious that it became news

Emotet itself does not contain malicious code

Emotet also acts as a platform that allows infected devices to infiltrate other malware.

Emotet can invade your device by exploiting legitimate functions such as macros that are not detected by antivirus software, and it is also a cause of being more susceptible to infection than general malware. There are tools that can detect it, but if a new variant is created, there are many cases where it will pass through the detection, so we cannot be relieved.

The ingenuity of scattered emails that does not make you feel uncomfortable

The scatter attack that took place in November 2021 was more sophisticated than ever, making it difficult to tell that the email was malicious.

It was disguised as a natural e-mail disguised as an actual reply with "RE:" added to the subject line of the legitimately exchanged e-mail, and a malicious file was attached.

The recipient was interrupted by an email with the same subject and opened the attachment, thinking it was a legitimate reply, and was infected with Emotet.

In addition, in December 2019, a pattern disguised as an e-mail informing about bonuses will appear, and in January 2020, a pattern disguised as a guide from a health center related to the new coronavirus will appear. We have also confirmed emails that have been crafted so that they do not feel uncomfortable.

Have users download malicious files themselves

The mainstream method of Emotet is to use macros to invade without being noticed by the user of the device, but in November 2021, the method of pretending to be a legitimate service and causing the user to download an unauthorized file is the method. Things have also appeared.

When you click the link in the body of the email, you will be directed to the screen disguised as a PDF file on your browser, and you will be prompted to download the file if you need it for viewing.

It can be said that it is a malware that is very difficult to detect even if you are careful because you are changing the means one after another, such as macros of attachments, realistic email texts, and downloading of files necessary for viewing PDFs.

Damage caused by infection with Emotet

Infects other malware

If you allow Emotet to invade, other malware will be downloaded one after another and the damage will spread.

Some downloaded malware has been devised so that it is difficult for users and security personnel to analyze, such as malware that is not saved as a file and operates only on the memory of the device.

Important information is stolen

Modules that steal information are also downloaded, so there is a risk that authentication information and confidential information in the network will be leaked to the outside and misused.

In some cases, after being infected with Emotet and committing fraudulent activities such as stealing information, the downloaded ransomware encrypts the data and renders the device unusable. In the worst case, you will not be able to investigate what information was stolen and what caused it.

Emotet is transmitted to other terminals in the company

Emoet has a self-propagating worm function.

Once intruded, it looks for security gaps and invades other terminals in the network. It has also been confirmed that Emotet is frequently updated while hiding in the terminal and performing activities.

Infections can spread explosively within an organization, and more frequent updates can delay response.

Used as a stepping stone for distributing Emotet outside the company

The stolen authentication information may be misused, and an Emotet distribution attack may be carried out under the guise of legitimate e-mail to a destination with a history of e-mail exchanges.

If a customer is attacked in a scattered manner, it may be necessary not only to call attention but also to provide compensation.

Measures for Emotet that can be done right now

Considering that the basic attack method of Emotet is to start a macro of an attached file or download it from an unauthorized link, the following measures can be taken immediately.

Check the sender to see if the email address you received is in a suspicious domain

Check the setting so that the macro of the attached file is not executed automatically

(set the macro setting to "Display a warning and disable all macros")

Check if the URL inserted in the text is a suspicious link

Make a backup of important systems and data

These measures can be taken immediately, but we leave it to our employees to make regular checks and determine if they are suspicious .

It is extremely difficult to prevent Emotet from invading 100% if you have advanced ideas that do not make you feel suspicious, such as clever text that you do not notice even if you read it, spoofed email while exchanging emails. Therefore, the most effective measure is not only the measures that can be taken immediately, but also the introduction of a new mechanism.

What are the really necessary Emotet measures?

What kind of measures are effective against Emotet that invades by clever means?

Should I educate my employees not to launch attachment macros?

Is it safe to have antivirus software installed?

Is it safe to use a file sharing service instead of an attachment?

In conclusion, none are safe.

The reason will be explained in the download material.

In addition, we also introduce the actual Emotet attack emails and defense cases that prevented damage while being infected with Emotet, so please download and have a look.