29.11.2021 - In recent days, several countries have reported the return of Emotet. Now, such spam emails from .ch senders have also been observed. Emotet is often hidden in Microsoft Office files and requires macros to install the malware on the IT system, e.g. a computer. These attacks can affect private users, as well as companies, authorities and critical infrastructures. The NCSC recommends being extremely cautious, especially in the case of emails with attached files.
In January 2021, Europol announced a major operation, dubbed Operation Ladybird, to disrupt Emotet, which involved taking command and control servers offline and having Europol take over the botnet. In recent weeks, however, security experts from all over the world have reported renewed attacks with this malware. In the past few days, Emotet has also been observed in Switzerland, with emails containing infected attachments being sent from four ".ch addresses". The attached Excel files contain malicious macros. Therefore, the NCSC recommends, as a matter of urgency, blocking Microsoft Office documents on email gateways (.xlsm, .docm). An overview of the Emotet payload delivery sites is available at:
Emotet – the most dangerous malware in the world
Emotet is a form of malware that is mainly sent via spam emails. Initially, Emotet was purely a banking Trojan. The attackers' goal was to get into the victims' IT system in order to obtain the access credentials for their bank accounts. After that, Emotet functioned as a downloader or dropper. Droppers are frequently used to download additional modules. Access to the infected IT systems is often sold on to other groups. These groups place ransomware via the access points, encrypt the data on the network and then demand a ransom.
It is very difficult to remove the Emotet malware once it is in the system. Emotet is highly adaptable. For example, it is capable of using email harvesting to read contact relationships and email content from the mailboxes of infected systems. The data collected can then be used to launch further attacks. The new victims receive fake emails supposedly from colleagues, business partners or acquaintances and are tricked into opening the Word file and executing the Office macros it contains.
How to protect yourself from Emotet:
- Be wary of emails even from supposedly known senders, especially those with file attachments and links;
- If you receive a suspicious email, try to contact the sender directly and check the credibility of the content;
- Block documents with active macros on your email and proxy programs;
- Immediately install all currently available security updates for operating systems, antivirus programs, web browsers, email clients and Office programs;
- Protect VPN access with two-factor authentication and ensure that all exposed devices are quickly patched;
- Regularly make a backup of your data on external media and store it offline;
- Keep at least two generations of backups;
- Companies should continuously monitor access to their corporate networks;
- Forward malicious emails to reports@antiphishing.ch or use the relevant form to report suspicious emails to the NCSC's contact point.
Last modification 29.11.2021
