Emotet, the virus stealing email fragments to be more credible

Recently, users have reported emails being sent under their name, both to unknown recipients and contacts. Messages contained a virus-infected Office documents attached to them. What we have in front of our eyes is the return of Emotet, a very sophisticated and widespread malware that acts as a vector for other types of attacks.

Recently, a feature has been added to Emotet to make its emails even more credible and, therefore, dangerous.

Basically, Emotet steals email fragments from real conversations, creates emails with infected files attached, while also replies messages received to the victim’s Inbox.

The victim sees an email in response to a previous message arrive, with a “known” subject (Emotet also adds the “Re:”), where the content is actually that of the original message. The response usually contains a very short and generic text that invites you to open the attachment in the message, without giving other explanations.

The attachment is usually an Office, Word or Excel document which, once opened, claims in various ways the need to enable macros to show its content.

At this point, if the user enables macros, Emotet begins its course by connecting addresses (URLs) to download the code (payload) that will infect the victim’s PC with viruses and malware.

Emotet endangers the whole company

But this is only the first part of the infection. As mentioned before, Emotet acts mainly as a first stage to install much more dangerous malware, including:

• a banking Trojan (eg TrickBot or QakBot) that aims at stealing money by changing the IBAN codes or the bank transfer details in invoices and other financial documents;
• a ransomware that aims to encrypt data and then ask for a ransom;
• an infostealer that aims to steal data through screenshots, keyloggers, or passwords stored in various programs.

Meanwhile, Emotet will continue its course by stealing the email messages of its latest victim, sending an infected reply message to all the contacts in their address book, using a fake email address as the sender (a.k.a. Email Spoofing technique). All this information is then uploaded to the Emotet botnet and prepared for subsequent submission to other victims.

These emails are sent via SMTP servers using usernames and passwords that were stolen in previous attacks.

The attacks start in waves

During each campaign, attackers infect PCs and retrieve data and credentials for new attacks, while the one in progress is ending. When they have accumulated a sufficient number of new victim email addresses, sending credentials, and stolen email texts, they launch a new attack. Months can pass between one sending wave and the next, which are also necessary for attackers to update the Emotet code so as not to be recognized by an antivirus or to restore any pieces of dismantled botnet.

Evidently, Emotet is a sophisticated malware and it can be complex to manage. The organizers behind these attacks are technically very prepared, which is why Emotet is so difficult to block.

Virus inside password-protected ZIP file

To make it even more difficult for email providers to analyze these email messages, some versions of Emotet protect the attached ZIP file containing the Office document with the malicious macro with a password.

Emotet and Data Breach

One of the consequences that occur when corporate PCs are infected with recent versions of Emotet is that email conversations, including attachments, are stolen and sent to the Emotet botnet. This is in fact a “data breach” that exposes the company to further possible risks, including legal and economic, due to the dissemination and loss of control of their data.

How to protect yourself from Emotet

To protect yourself from Emotet, you must have a multi-level IT security protection. This includes Email Security solution for company emails, an Endpoint Protection system for PCs and servers, next generation Firewall to protect the company network and, above all, training collaborators know the threats related to malware and viruses, how to recognize, and deal with them.

Qboxmail offers a security service for corporate emails that helps companies protect themselves from a number of cyberattacks, including Emotet, thanks to a service that alerts the company in case abusive access attempts are detected, following password theft to whole mailboxes.

If you want more information or technical support to secure your emails and your company from possible risks, you can contact Qboxmail. We will be at your disposal to give you all the necessary support.