The CERT BWL informs: New emotet-wave with previously unknown infection methodology  [21.07.20]

After months of inactivity, emotet infections are once again increasingly being registered. In contrast to past waves of infection, the current wave involves the use of previously unknown possible infection methods.

Facts

After hardly or no new emotet activities have been recorded since the beginning of February 2020, a new wave of infections and spam was registered on 17.07.2020. The basic method of infection has not changed: As a rule, potential recipients receive Microsoft Office documents or links to such documents by e-mail with the request to open them. If macros are allowed on the target computer, this activates the infected macros contained in the document, which then install Emotet automatically.

What is new, however, is that the malicious documents use URLs that are often hacked WordPress sites. In addition to the previously used doc files, pdf files have also been identified as malicious attachments of the current wave. Furthermore, the current wave of infection is characterized by a new methodology. On the PC it is now indicated that the document cannot be opened properly because it was allegedly created under iOS. Clicking on this error message opens the door for the Trojan.

So far, the message about the alleged creation of the document in iOS is only available in English, but it should only be a matter of time before a corresponding message in German is also displayed.

Evaluation

The current emotet-wave uses a hitherto unknown hint, which is supposed to entice people to open files or activate contents. However, the underlying infection mechanisms remain the same as in the past (activation of content, clicking on malicious links, reloading malware).

Recommendation

Check e-mails with attachments or links carefully. If necessary, call the alleged sender to make sure that they have not sent you an e-mail to this effect.

Never click on the link in e-mails from supposedly known senders, even if their subject and text seem plausible at first glance, and never open files from the attachments of such e-mails that you cannot identify.

Do not try to activate content or macros when the program prompts you to do so, and be skeptical if you receive a message that documents were supposedly created in iOS.

If an e-mail seems suspicious to you, please contact the KIM immediately.


Back to All news

Do you have questions or comments about this site? contact form