Emotet is back!

Introduction

You are happy because an old acquaintance has contacted you again by e-mail. Attached to the e-mail is an Excel file. You are curious to see what your old friend has sent you. You immediately download the Excel file and open it.

Unfortunately, nothing is displayed except an error message. The error message tells you to copy the file to another directory and open the Excel file from there.

After a short search you have found the directory. You copy the file into the directory and open the file again. Hmm, still nothing interesting is displayed. It seems that it is just an empty Excel file. You are disappointed, but you think nothing bad about it. So, you go back to what you were doing before.

But 2 weeks later your bank contacts you. Someone tried to log in to your online bank account from another country. The bank was able to block your account in time before any money could be stolen.

I hope that this did not really happen to you. But it can happen. Because one of the most notorious botnets in the world is online again.

What is Emotet?

The botnet in question is Emotet. Emotet has been known since 2014. This botnet was dismantled in January 2021. At least that’s what they thought. Europol was able to take over the infrastructure of the malware and thus remove it from the network. However, these efforts were apparently in vain, because on November 2, 2022 at 9:00 in Germany, security researchers were able to observe that spam emails with malware from the Emotet botnet were sent out

How it works.

Emotet proceeds by sending spam emails with a malicious Excel file. The email asks you to download and open the Excel file.

Once the Excel file is opened, you will see a supposed error message. The error message asks you to copy the Excel file to a specific directory. This is because the attackers want to bypass one of Excel’s protection mechanisms. This is because this Excel file is not just a file, but also a program. If you open the file normally, you will see a real SECURITY WARNING. There it is pointed out that the file contains scripts that are currently disabled. To enable the scripts you have to press a button. However, when the file is started from one of these directories, this button is not displayed. Instead, the scripts, i.e. the program, are executed directly without prompting. As a result, malware is now running on your PC.

After the Excel file is executed, it will contact another server. Most of the time, these are hacked servers. Another malware is stored on the servers, which is now downloaded. This malware is used to establish a connection to the attackers.

Via this connection, the criminal hackers have full control over your PC. They can install further malware, for example, a ransomware. A ransomware is malware that encrypts your files and decrypts them only when you pay a ransom.

It is also possible that the hackers install a banking Trojan on your PC. With it, they can steal your online banking account data. This procedure has been observed before with Emotet.

How you can protect yourself

First, you should make sure that the software on your system is up to date. So, if you need to update your operating system or email program, do it now. Antivirus software can also help detect the malware. The manufacturers have already updated their signatures and can thus protect you. For that, you should make sure that your antivirus software is up-to-date and running. You should also watch out for phishing. Always check the sender and open attachments only when you expect them. It’s best to only open attachments in a sandbox, if you’d like me to do a tutorial on this feel free to post it in the comments.

If you want to get more tips that will keep you safe in cyber space, follow me on Medium!

The cyber space is dangerous. Take care of yourself!