Emotet is back: the malware that was declared defeated is on the loose again

Threat Alert

The Emotet malware, which was thought to have been defeated at the beginning of the year, is back in circulation. We have summarized the most important questions and answers surrounding the return of Emotet for you and get to the heart of how you can protect yourself from the malware.

What happened?

On November 15, the cybersecurity world was shaken by the news that the infamous Emotet malware was circulating again about half a year after it was destroyed. Emotet was considered the most widespread malware in the past, spreading mainly via spam campaigns and infected attachments of phishing emails.

What exactly is Emotet?

As recently as last year, the infamous malware topped the Global Threat Index 2020 as the most dangerous malware. The malware first appeared in June 2014 and was mainly used to attack the banking sector.

The tricky thing about Emotet: The malware often acts as a door opener for the installation of other malware. The software is not only capable of giving unauthorized people access to data, but is mainly used as a downloader for other malware variants such as TrickBot and IcedID. Originally used as a banking Trojan (spying on online banking credentials), Emotet has recently served more as a spreader of other malware. The program used various methods and evasion techniques to remain operational and undetected.

Why was Emotet considered defeated?

As late as the beginning of the year, German law enforcement agencies, among others, announced the destruction of the Emotet network: the malware’s infrastructure was destroyed, servers were seized. Only harmless updates were made until an Emotet module could be deployed on April 25, 2021, which completely removed the malware from infected systems.

What is the status today? 

The masterminds of Emotet have now started resuming their operations. Systems already infected with TrickBot started installing new files from the Internet. Both automated and manual analyses revealed that the files were new Emotet variants. The new version has many similarities with past Emotet programs, but the encryption as well as the certificates used to secure the communication have been slightly changed.

What risks does Emotet pose to my company?

Emotet is known for what is known as dynamite phishing. Deceptively real phishing emails with personalized content designed to trick the target into opening attachments are characteristics of Emotet campaigns. The phishing e-mails are so well disguised that they sometimes imitate colleagues or business partners as senders. A particularly tricky aspect is that past messages from the intended target persons are quoted in the phishing e-mails. The emotet e-mails can thus be perceived by the recipients as a reply to previously sent e-mails.

The BSI is already warning of broad-based phishing campaigns such as those observed last year. Companies and public authorities are said to be at high risk, especially due to the additional installation of further malware by Emotet.

Attention. The sending of Emotet spam emails has already begun. Currently, the malware is being distributed to potential victims in the form of *.docm and *.xlsm as well as password-protected ZIP attachments.

What can I do?

  • Be especially skeptical of emails with ZIP attachments. Emotet is usually spread via phishing emails with attachments. Embedded in a ZIP file, Emotet can spread under the radar because it may go undetected by antivirus programs.
  • When you receive a reply to emails you send (usually with a subject that starts with “Re:…”), make sure that the reply actually refers to your message. You can do this by thoroughly checking either the sender or the content of the message. If the text seems unusually worded or out of context, take extra care.
  • If you have doubts about the authenticity of the sender, contact the person by other means, such as a phone call or text message.
  • Network administrators are additionally advised to block or carefully monitor all IP addresses belonging to Emotet to prevent them from being “recruited” to the newly recovered Emotet botnet.

The list of IP addresses is available here: https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt. Please note that extreme caution should be used when dealing with these IP addresses. If you are not sure how to proceed with these addresses, contact our team. We will be happy to assist you.