There is a variant of EMOTET trojan that is very dangerous and can bypass multiple endpoint protections. EMOTET is commonly delivered via email with an attachment or a link within the email similar to a number of phishing emails that you probably have received in the past.

Why is this any different and why is it so IMPORTANT?

  1. Let’s start with what happens if you were to be become infected: It transmits information to botnet (spam) servers that contains email addresses, subject and email content that you’ve sent or received.
  2. Once botnet has this information, it then uses that information using spoofed (fake) email addresses as you and uses the emails you have sent as fake replies to the people who received the email.
  3. The unsuspecting people receiving this email may think it is coming from you because it is it is a very familiar email from you. This increases the likelihood by twofold of the recipient to click on the attachment.
  4. The recipient opens the attachment…becomes infected…and the cycle starts over at step 1 with new emails addresses and content.

Why didn’t my spam filters stop this email?

Because it is using content of emails that the infected has previously sent, it increases the likelihood of the email bypassing email spam filters because it looks like a legitimate email.

Why doesn’t my antivirus/antimalware (AV) installed on my computer stop this?

EMOTET fools most AV software by staying dormant/sleeping while the AV software inspects and tries to figure out what it is. Once the AV software says it is OK, EMOTET installs itself and other malware on the computer. After a period of time, the AV software goes “WAIT!” This is bad and disables the threat. By this time it is too late, information has already been transferred to botnet servers.

Another way that EMOTET is bypassing AV software is that malware developers are constantly changing EMOTET so that AV software doesn’t know about it.

YIKES!! What else can it do?

Now that these malicious people have email addresses and reputable email content, it will continue to try to get information from your contacts. It can also replace the attachments/links with ransomware which can encrypt all your files and ask for money to get it back.

OK!!! THIS IS VERY SERIOUS!!! What can I do about it?

  • Train your employees to inspect emails with attachments and links before clicking on it. Here are some tips: https://cbm.technology/how-to-protect-yourself-from-phishing-attempts/
  • Have appropriate anti-phishing filters (not the same as spam filters unfortunately, it is a different way of handling these)
  • Have appropriate and updated endpoint protection that is designed for the latest threats such as EMOTET
  • Contact your IT provider to see if you are or have been infected in the past.
  • Lastly – Periodically train your employees to inspect emails with attachments and links before clicking on them.  Technology can aid in reducing the risks of being compromised, however human intervention is still a necessity.

Other resources:
US Dept of Homeland Security – https://www.us-cert.gov/ncas/current-activity/2020/01/22/increased-emotet-malware-activity