The GR CSIRT Cyber ​​Incident Response Team informs that there is an increased activity of sending emails that contain the malicious Emotet software that affects many organizations in the country.

Emotet malware spreads through emails that contain malicious Word documents. The documents use macros to download and install Emotet Trojan on the victim’s computer. After a short break, the malware returned to service on October 14 and began sending malware worldwide. The important thing is that he uses various social engineering! techniques to gain access to the attacker and avoid locating him.

What happens;

The Systems that are infected are …

Windows systems, networks and servers.

What it means;

Recently, there has been an increase in Emotet activity in Greece as well. It spreads via email and emails contain malicious attachments or links that the recipient is encouraged to download. These links and attachments may look like genuine invoices, financial documents, shipping information, resumes, scanned documents, or covid-19 information.Emotet is designed to steal login credentials for email accounts. The breached credentials are then passed on to spam bots that send large numbers of unsolicited emails to further spread the malware. Alternatively, they may steal information in your mailbox and use it. For example, they can use the content of an existing email conversation as a pretext to make the email appear legitimate.

Who is at risk?

Anyone can be infected by Emotet, including individuals and businesses.

How can we say we are infected?

You may receive emails from people on your contact list informing you that they have received phishing emails from you that contain malware. As malware continues to evolve, antivirus software does not always detect infections. In case you consider that you are infected, report the incident to https://csirt.cd.mil.gr/ and to the email csirt@cd.mil.gr

What to do;

Protection

As Emotet spreads through malicious documents, it is important that you take the following steps:

  • Disable macros in MS-Office.
  • Only enable macros that have a digital signature or from trusted locations.
  • Make sure the antivirus software on the terminal device is active and up to date.
  • Limit the use of PowerShell to running only signed scripts.
  • Use mail and web filters to block Emotet and C2 documents.
  • Strict control of programs that are allowed to operate in the professional environment

Treatment

  • Isolate the contaminated machine as soon as possible.
  • Check for other compromised machines in your environment.
  • Restore your systems to a previous state.
  • Change the passwords of the accounts and obligatorily for passwords to local admin passwords and domain admin passwords
  • Inform and advise those on your contact list not to open attached emails sent by you.
  • Back up your systems
  • Isolate the infected network if required.