Emotet is back – and that’s assuming Emotet ever went away.
What started in 2014 as a banking trojan, Emotet has continually morphed throughout the years and is now infecting devices through malicious Excel files being delivered via email. Typical consequences of an Emotet infection are hijacked bank accounts, ransomware attacks, and high-value wire fraud.
Since 2014, the malware has been responsible for $2.5 billion in theft, according to a February report published by Palo Alto Networks Unit 42.
How it Works
Emotet generates fake email replies based on legitimate emails stolen from mail clients of Windows hosts previously infected with the malware. These socially engineered fake emails, which impersonate the original senders, include an attached Excel spreadsheet containing Excel 4.0 macros.
“These macros are an old Excel feature that is frequently abused by malicious actors,” the report stated. “The victim must enable macros on a vulnerable Windows host before the malicious content is activated.”
With macros enabled, Emotet first downloads and then executes an HTML application that infects that computer with malware – as well as the network the computer is connected to. Even worse, if the rogue Excel file is saved to and launched from a USB flash drive, that USB device could distribute the malware over and over again. If Emotet isn’t reason enough to 1) disable Microsoft Office macros, and 2) block USB ports with USB port locks, we don’t know what is.
Just When We Thought Emotet Was Conquered
A year ago, it was reported that Emotet was permanently destroyed when an international law-enforcement collaborative eliminated a network of hundreds of botnet servers that the malware used as to deliver its attack. In November, however, Emotet resurfaced when it was found to be delivering fake Adobe Windows App Installer Packages.
Microsoft to the Rescue
In February, Microsoft announced it will disable all macros by default – not only in Excel, but also in Word, PowerPoint, Access, and Visio – acknowledging that the macros are a preferred method of cybercriminals to deliver malware.
“For macros in files obtained from the Internet, users will no longer be able to enable content with a click of a button,” Microsoft said. “The default is more secure and is expected to keep more users safe including home users and information workers in managed organizations.”
Starting in late April, instead of a button to “enable macros,” users will be prompted with a “learn more” button that will take them to additional information before they can activate macros within a document.