These dirty tricks spread the Emotet Trojan

Almost every day, the Federal Office for Information Security (BSI) issues new warnings about the Emotet Trojan. The problem: The perpetrators often change their strategy and find new ways to trick their victims with fraudulent mails.

The camouflage

The Trojan hides either in a Word document in the file attachment or behind a manipulated link. This in turn can be included in the mail text itself or in a Word or PDF document attached. The link text and the destination vary frequently. Clicking on it will download a malicious Word document.

Some of these Trojan emails contain both an infected file attached and a malicious link.

Content and sender

Sometimes it’s about an invoice, sometimes about a direct debit, sometimes about updated user agreements: the criminals choose different pretexts to get users to open the e-mail content. In addition, they slip into the role of large companies, such as the Sparkasse , Microsoft or Telekom – but also of corporate customers, job applicants or contractors. These methods are also known from phishing emails. How to recognize the fraud, we explain in an article and in this slideshow .

The trick with the macros

Opening an Emotet mail alone is not dangerous yet. However, anyone opening the infected Word document will be prompted to enable the macros. This will eventually kill the malware.

Again, the fraudsters use various tricks to lure the users into the trap. For example, you change the layout of infected Word documents and claim that the user needs an “admin permission” to open the document. Following the instructions will cause the macros to be activated.

What happens when you run the program?

According to the BSI, the Trojan software reads the e-mail content and contacts. This information is used by the perpetrators to send further fraud mails. For the recipients, it looks as if the mail came from someone they know. This inspires confidence and tempts to open the dangerous content.

Once the system is infected, Emotet reloads other malware, such as the banking Trojan Trickbot. In addition, perpetrators can access sensitive data, such as log-in information for online banking, or even take control of the system.

What to do if the computer has been affected

The BSI recommends those affected to inform their environment about the problem. In particular, the mail contacts should be notified, so they do not fall for the fraud . All access data stored in the web browser should be changed. Since the malicious programs make some profound changes to the infected system, the computer should also be set up again.