See News

New malware attacks Emotet

In recent weeks we have seen a rise in attacks with Emotet malware.

Emotet is a malware strain and a cybercrime operation based in Russia. The malware, also known as Geodo and Mealybug, was first detected in 2014. It was in operation until February this year. Then they spend a couple of months to fix bugs that allowed security professionals to fight the malware effectively. Since July it is coming back with all kinds of new features.

The malware uses a few different "templates" to generate emails with malware. What we are now seeing most is an email that seems to be a reply on a legimate email. In most cases the victim even recognizes the email. That is because the makers of Emotet have compromised thousands of email accounts and there they collect legimate email messages to later use to send the malware to the participants of those messages. They even try to reference the message in their reply to make it look more authentic.

This week Emotet started using fake Windows Update Alerts. In all cases the malware uses Microsoft Office documents with scripts and macros. Under normal conditions these are blocked by Word or Excel. The software still tries to convince the victim to enable macros, like shown in the below example of the running malware.

Be careful with opening attachments, even if they look like part of a legimate email conversation or seem to come from a trusted party. The makers of Emotet change the software often to prevent it from being detected by anti-virus software.