How to deal with Emotet malware

2019.12.4

• Currently, it is found that opening a Word file attached to an e-mail and clicking "Enable Content" causes Emotet Malware infection.

• Please make sure that Word Macro auto-execution is disabled.

  • In Word, select “File” tab - “Options” menu - "Trust Center" – “Trust Center Settings” - "Macro Settings" and select "Disable all macros with notification". (Microsoft reference information)

• Not only scatter-type attack e-mails, attack e-mails pretending to be replies from acquaintances, business partners, etc. are confirmed. In those e-mails, the contents of actual e-mail exchange between organizations are diverted. Please do not open the attached Word files even if those are sent by e-mails from acquaintances, business partners, etc. If you really need to open them, please do not click “Enable Content”.

• As a countermeasure against ransomware, it is recommended to get a backup and disconnect it from the computer.

(2020.9.9 Added)

• Up until now, a file in Word format that causes Emotet infection was attached to an e-mail, but a new case has been confirmed where a zip file with a password is attached and the password is included in the email text. Please be aware that it may be delivered without being detected by the antivirus function of the e-mail system.

• If you suspect that your PC is infected with Emotet, please use the Emotet infection check tool "EmoCheck" released by JPCERT/CC.

(2021.12.1 Added)

• Information-technology Promotion Agency (IPA), an independent administrative agency, has warned that signs of resumption of Emotet's attack activities have been confirmed.

• Be careful not to click the "Enable Editing" and "Enable Content" buttons unless you can trust the Office document files you received via email.

• Be especially careful when opening macro files (.docm and .xlsm files) and password-protected ZIPs, even if the email appears to come from a related agency.

(2022.3.7 Added)

• EmoCheck version v2.1 has been released. If you could not confirm the detection of Emotet in the old version, please consider checking with the latest version just in case.

(2022.4.25 Added)

• EmoCheck version v2.2 has been released. If you could not confirm the detection of Emotet in the old version, please consider checking with the latest version just in case.

(2022.4.26 Added)

• From around April 25, 2022, emails with a shortcut file (LNK file) or a password-protected Zip file containing the shortcut file that lead to the Emotet infection have been observed. Executing the file drops and executes a script file that downloads and installs Emotet.

• The new method may have been introduced to infect without requiring email recipients to enable macros or content on Microsoft Word or Excel.

(2022.5.20 Added)

• EmoCheck version v2.3 has been released. If you could not confirm the detection of Emotet in the old version, please consider checking with the latest version just in case.

(2022.5.24 Added)

• EmoCheck version v2.3.1 has been released. If you could not confirm the detection of Emotet in the old version, please consider checking with the latest version just in case.

(2022.5.27 Added)

• EmoCheck version v2.3.2 has been released. If you could not confirm the detection of Emotet in the old version, please consider checking with the latest version just in case.

(Reference Information)

• How to Respond to Emotet Infection (FAQ) (JPCERT/CC) (* You can download "EmoCheck" from this page.)