from Wikipedia, the free encyclopedia
Surname Emotet
Known since 2014
Virus type Macro virus
Host files MS Office documents
Stealth Yes
Memory resident Yes
system Windows
programming language C ++ macro
info Installs additional malware on
infected systems

Emotet is a family of computer malware for Windows systems in the form of macro viruses , which infect recipients with Trojans via attachments of very real-looking e-mails . When a recipient opens the attachment or the attachment of the email, modules with malicious functions are reloaded and executed. Authorities and companies are the main victims of the malware. The aim of the attacks is to paralyze the victim's entire IT and / or to extort ransom payments. In January 2021, Emotet was rendered harmless by Europol .


Emotet was first identified by Trend Micro in June 2014 . Affected were customers of German and Austrian banks, whose access data was intercepted via a man-in-the-browser attack. Since then, several evolutionary stages of the Trojan have been discovered, which gradually spread in waves around the world. Since the end of 2018, Emotet has also been able to read and use content from e-mails, which further increased the risk and led to the BSI explicitly issuing a warning about this malicious program . The affected recipients now received emails with authentic-looking but made-up content from senders with whom they were previously in contact. In addition, the names and e-mail addresses of the sender and recipient in the subject, salutation and signature of earlier e-mails were consistent and also enticed sensitized users to open the harmful file attachment or the link contained in the message. In individual cases, this resulted in failures of the entire IT infrastructure and restrictions in critical business processes , which resulted in damage amounting to millions. There were major production downtimes and entire company networks had to be rebuilt after being infected with Emotet. The CERT Association and the police authorities reported a large number of infections, especially among companies and authorities. The Heise Group and the Berlin Supreme Court were also affected . The appellate court was advised in an expert opinion to "completely rebuild the IT infrastructure".

In August 2020, the BwFuhrparkService , which partly also provides the transport service for the German Bundestag , was the target of a hacker attack carried out with Emotet .

In January 2021, Europol , led by Dutch investigators from politics and German investigators from the Federal Criminal Police Office , succeeded in taking over the malware's infrastructure and then smashing it.

Features and function

Emotet is based on methods that are known from APT attacks , which have been adapted and automated for automated and mass use. The distribution takes place primarily through so-called " Outlook harvesting", that is, through the creation of authentic-looking spam mails based on read out e-mail content and contact details of users who are already affected. The e-mails generated in this way appear particularly authentic and personal and stand out from normal spam mail . Emotet is usually brought to the victim's computer through infected e-mail attachments in Word format. Various messages are used to try to get the user to activate the active content so that the infection can occur. Emotet is also able to reload additional malware, which then enables access data to be read out or remote access . The downloaded software can also use various other vulnerabilities , such as the SMB vulnerability EternalBlue , to spread further.


Before the infection

The basic requirement for all protective measures is the installation of current security updates and the availability of current backups that are physically separated from the network. As a direct countermeasure, the execution of macros can be completely deactivated via group policy in Active Directory . If this is not possible, at least only the execution of signed macros can be permitted via group policy. Word attachments can also e. B. opened in LibreOffice , because the macros do not work there. Since passwords are read from Firefox and Outlook or Thunderbird , the use of a password manager is recommended. Working with reduced user rights (no admin rights), especially when surfing the Internet and opening e-mail attachments, makes sense to prevent the system files from being infected. Strong passwords are recommended for administrative accounts as Emotet tries to find them using brute force methods .

Emotet uses a number of command and control servers that infected clients want to connect to. The Cryptolaemus security team provides daily security reports with a list of known IP addresses and / or DNS names from these servers. Any connection attempts can be identified through a firewall with monitoring.

After the infection

Emotet uses various techniques to hide from antivirus software and is therefore difficult to remove from an infected system. The most important measure after an infection is detected is that the infected system is isolated as quickly as possible, i. H. from the rest of the company network and from the Internet, as Emotet tries to infect other computers in the network. You should also refrain from using an account with administrative rights on an infected system in order to limit further damage. Since the damage caused also extends to system files, the system should be reinstalled in order to guarantee complete elimination. Backups can then be used for recovery if it has been proven that they are not infected, that is, they were not physically connected to the network during the Emotet attack or were permanently write-protected.

Web links

Individual evidence

  1. a b Alert (TA18-201A) - Emotet Malware. US-CERT , July 20, 2018, accessed June 6, 2019 .
  2. World's most dangerous malware EMOTET disrupted through global action. Retrieved January 27, 2021 .
  3. Paweł Srokosz: Analysis of Emotet v4. CERT Polska, May 24, 2017, accessed June 7, 2019 .
  4. a b c Current information on the Emotet malware. In: BSI for citizens. BSI , accessed on June 8, 2019 .
  5. a b Dangerous malware - BSI warns of Emotet and recommends protective measures (press release). BSI , December 5, 2018, accessed June 8, 2019 .
  6. a b Warning against malware: "Emotet" endangers entire networks. Tagesschau (ARD) , December 5, 2018, accessed on June 7, 2019 .
  7. a b c Jürgen Schmidt: Attention dynamite phishing: Dangerous Trojan wave Emotet paralyzes entire companies. In: heise Online. Heise online , December 5, 2018, accessed June 8, 2019 .
  8. a b Jürgen Schmidt: Emotet at Heise. In: heise online . June 6, 2019, accessed June 6, 2019 .
  9. ^ Markus Böhm: Trojan attack on the Berlin Supreme Court. In: Spiegel Online . October 4, 2019, accessed October 10, 2019 .
  10. Trojan attack on the Berlin Supreme Court with more consequences than expected. In: Spiegel Online . January 27, 2020, accessed January 27, 2020 .
  11. DER SPIEGEL: Bundestag chauffeur service was attacked with ransomware - DER SPIEGEL - Netzwelt. Retrieved August 20, 2020 .
  12. Federal Criminal Police Office: The world's most dangerous malware rendered harmless. In: tagesschau.de. January 27, 2021, accessed January 27, 2021 .
  13. a b c d Hauke ​​Gierow: Emotet: G DATA explains the all-purpose cybercrime weapon. In: G DATA Blog. G Data Antivirus , January 23, 2019, accessed June 8, 2019 .
  14. a b c Information pool - measures to protect against Emotet and dangerous e-mails in general. In: allianz-fuer-cybersicherheit.de. BSI , accessed on June 11, 2019 .
  15. Cryptolaemus Pastedump. Retrieved January 7, 2020 .
  16. Trojan.Emotet. In: Blog. Malwarebytes Labs, accessed June 9, 2019 .