Emotet, the banking malware that empties your account is active again in Italy

A cybersecurity researcher confirms a new Emotet campaign in Italy: here's what you need to know about the virus that steals money from your bank account.

Security researcher JAMESWT, in a tweet a few hours ago, announced that it has once again intercepted the very dangerous Russian banking trojan Emotet, a malware that has already attacked several bank accounts in the past months. The campaign has been running in Italy, since a few days, and it is very dangerous.

The mechanism of infection is similar to the attacks already seen: it starts from a phishing email coming from a real but compromised email address, which contains an attachment, containing a script that downloads the virus from the Epoch 2 botnet of zombie computers. Similar attacks, with the same technique, are going on also in other countries of the world besides Italy and this is a sign that cyber criminals running these campaigns are more active than ever in the last months, after a short pause during summer.

Emotet: how it works

JAMESWT has shown some screenshots of the email messages from which the infection starts. They come from apparently real and legitimate addresses, but they start from infected computers and contain an attachment in Zip format protected with password (and the password is included in the body of the message).

The text of the message, in good Italian and without grammatical errors, exploits the tension generated by the difficult moment that Italians are living because of the Covid-19 pandemic. The message shown by the researcher, in fact, reads: "Good afternoon, I went to the John Paul I laboratory to inquire about the swab: you have to be there early in the morning at 6.30, because they open at 7 and the line is long I could not do more I'm sorry. I enclose the commitment of expenditure. Waiting to hear from you again".

The message, as it is clear to everyone, is well studied, it is based on social engineering techniques and could be credible to many people who receive it, who could fall for it and open the zipper file. Inside the zip file there is a Microsoft Word document, with some English text (this part of the attack has not been localized for Italy, apparently), which invites the user to update Word.

In fact, when the Word file is opened, a script starts that downloads the actual virus from a list of servers located in different countries around the world.

Emotet: why it is dangerous

Emotet, also known by the names Geodo or Mealybug, since its inception in 2014 has aimed at stealing millions of bank credentials from as many unsuspecting users who, as a result of the infection, saw their money leave their bank accounts without apparent explanation.

This malware, in fact, is capable of stealing bank credentials of online checking accounts by spying on the user while entering them and searching for information about them in computer files. A second dangerous feature of the latest versions of Emotet is that it turns the infected computer into a zombie machine, which is inserted into one of the three botnets available to the virus: Epoch 1, Epoch 2 and Epoch 3. From these networks of infected computers, other phishing emails depart and the virus continues to propagate.

Emotet: how to defend yourself

The resurgence of Emotet attacks is now a constant with autumn and, in particular, with the approach of the Christmas season: it had also happened in 2017, 2018, 2019 and could not miss it again this year. Recently Emotet had returned to hit Italy at the end of August and, a month later at the end of September, even the Computer Security Incident Response Team of the Italian Government issued a specific alert about this virus.

Since the attack modes are always very similar, it is good to pay attention to a few but fundamental things. The first one is to always avoid downloading attachments from addresses that we do not know or that, even if they belong to known people, would have no reason to send us that file.

The second one is not to click on any link, neither inside the emails nor inside the files that we have eventually downloaded. The third, but it would be better to put it first, is that we should always use a good quality antivirus, constantly updated with the latest monthly definitions of known malware.