In recent times, many users have discovered that some emails were sent in their name, both to unsuspecting recipients and to known contacts, and contained an attachment with virus-infected Office documents inside. This is the return of Emotet, a very sophisticated and widespread malware that acts as a vector for other types of attacks.
Recently, a feature has been added to Emotet to make its emails even more credible and therefore dangerous.
Basically Emotet steals pieces of emails from real conversations, attaches an infected file to us and replies to the sender of the message.
The victim sees an email in response to his previous message arrive, with a “known” subject (Emotet also adds the “Re:”), where the content is actually that of the original message. The response usually contains a very short and generic text that invites you to open the attachment in the message, without giving other explanations.
The attachment is usually an Office, Word or Excel document, which once opened claims in various ways the need to enable macros to show its content
At this point, if the user enables the macros, Emotet begins its course by connecting addresses (URLs) to download the code (payload) that will infect the victim’s PC.
But this is only the first part of the infection, as we said in fact Emotet acts mainly as a first stage to install much more dangerous malware such as:
Meanwhile, Emotet will continue its course by stealing the email messages of this latest victim, again sending an infected reply message to all the contacts in his address book, using a fake email address as the sender, with the Email Spoofing technique. All this information is then uploaded to the Emotet botnet and prepared for subsequent submissions to victims.
These emails are sent via SMTP servers using usernames and passwords which were stolen in previous attacks.
During each campaign, attackers infect PCs and retrieve data and credentials for new attacks, while the one in progress is ending. When they have accumulated a sufficient number of new victim email addresses, sending credentials, and stolen email texts, they launch the new attack. Months can pass between one sending wave and the next, which are also necessary for attackers to update the Emotet code so as not to be recognized by antivirus or to restore any pieces of dismantled botnet.
It is possible to understand that Emotet is a very sophisticated malware and very complex to manage, it is therefore understood that the organizers of these attacks are technically very prepared, which is why Emotet is so difficult to block.
To make it even more difficult for email providers to analyze these email messages, some versions of Emotet protect the attached ZIP file containing the Office document with the malicious macro with a password.
One of the consequences that occur when corporate PCs are infected with recent versions of Emotet is that email conversations, including attachments (, are stolen and sent to the Emotet botnet. This is in fact a “data breach” that exposes the company to further possible risks, including legal and economic, due to the dissemination and loss of control of this data.
To protect yourself from Emotet it is important to have a multi-level IT security protection, starting from an Email Security solution for company emails, an Endpoint Protection system for PCs and servers, next generation Firewall to protect the company network but above all training dedicated to its collaborators so that they know how these threats arise and how to deal with them.
Qboxmail offers a security service for corporate emails that helps companies protect themselves from attacks such as those of Emotet, also thanks to a service that alerts the company in case abusive access attempts are detected, following the theft of passwords, to own mailboxes.
If you want more information or technical support to secure your emails and your company from possible risks, you can contact Qboxmail, we will be at your disposal to give you all the necessary support.