How to deal with Emotet Malware
(References)
Alert Regarding Re-emergence of Emotet Malware Infection Activities (JPCERT/CC 2022/05/27 Updated)
How to Respond to Emotet Infection (FAQ) (JPCERT/CC)
Tool “EmoCheck” to check whether a device is infected with Emotet (JPCERT/CC)
2019/12/04
Currently, it is found that opening a Word file attached to an e-mail and clicking "Enable Content" causes Emotet Malware infection.
Please make sure that Word Macro auto-execution is disabled.
In Word, select “File” tab - “Options” menu - "Trust Center" – “Trust Center Settings” - "Macro Settings" and select "Disable all macros with notification". (Microsoft reference information)
Not only scatter-type attack e-mails, attack e-mails pretending to be replies from acquaintances, business partners, etc. are confirmed. In those e-mails, the contents of actual e-mail exchange between organizations are diverted. Please do not open the attached Word files even if those are sent by e-mails from acquaintances, business partners, etc. If you really need to open them, please do not click “Enable Content”.
As a countermeasure against ransomware, it is recommended to get a backup and disconnect it from the computer.
(2020/09/09 Added)
Up until now, a file in Word format that causes Emotet infection was attached to an e-mail, but a new case has been confirmed where a zip file with a password is attached and the password is included in the email text. Please be aware that it may be delivered without being detected by the antivirus function of the e-mail system.
If you suspect that your PC is infected with Emotet, please use the Emotet infection check tool "EmoCheck" released by JPCERT/CC.
(2021/12/01 Added)
Information-technology Promotion Agency (IPA), an independent administrative agency, has warned that signs of resumption of Emotet's attack activities have been confirmed.
Be careful not to click the "Enable Editing" and "Enable Content" buttons unless you can trust the Office document files you received via email.
Be especially careful when opening macro files (.docm and .xlsm files) and password-protected ZIPs, even if the email appears to come from a related agency.
(2022/03/07 Added)
EmoCheck version v2.1 has been released. If you could not confirm the detection of Emotet in the old version, please consider checking with the latest version just in case.
(2022/04/25 Added)
EmoCheck version v2.2 has been released. If you could not confirm the detection of Emotet in the old version, please consider checking with the latest version just in case.
(2022/04/26 Added)
From around April 25, 2022, emails with a shortcut file (LNK file) or a password-protected Zip file containing the shortcut file that lead to the Emotet infection have been observed. Executing the file drops and executes a script file that downloads and installs Emotet.
The new method may have been introduced to infect without requiring email recipients to enable macros or content on Microsoft Word or Excel.
(2022/05/20 Added)
EmoCheck version v2.3 has been released. If you could not confirm the detection of Emotet in the old version, please consider checking with the latest version just in case.
(2022/05/24 Added)
EmoCheck version v2.3.1 has been released. If you could not confirm the detection of Emotet in the old version, please consider checking with the latest version just in case.
(2022/05/27 Added)
EmoCheck version v2.3.2 has been released. If you could not confirm the detection of Emotet in the old version, please consider checking with the latest version just in case.
(2022/11/07 Added)
Since 2022/11/02, emails leading to Emotet infection have been observed again. Please be careful.
(2023/03/09 Added)
Since 2023/03/07, emails leading to Emotet infection have been observed again. Please be careful.
Changes in distribution methods have been confirmed, such as expanding a ZIP archive attached to an email to expand a doc file exceeding 500MB. By increasing the file size, it is thought that emotet is trying to avoid being detected by anti-virus software, etc.
(2023/03/17 Added)
Emails with attachments in Microsoft OneNote format (leading to Emotet infection) have been observed.
If you press the button on the screen after executing the file, the script hidden behind the button will be executed, which may lead to Emotet infection.
Even business-related emails from business partners, acquaintances, etc. (that appear to be) may be emails or attachments that lead to Emotet infection. Please take measures such as confirming with the sender (by a reliable method) before opening the attached file or link.
(2023/04/03 Added)
EmoCheck version v2.4.0 has been released. If you could not confirm the detection of Emotet in the old version, please consider checking with the latest version just in case.