Dopo due mesi di silenzio torna a farsi vivo il trojan bancario Emotet insieme a un altro pericolosissimo malware, TrickBot, con una campagna di phishing diretta anche all'Italia.
Sette settimane, tanto è durata la pace per i conti correnti bancari. Cioè per i bersagli preferiti di Emotet, l’ormai ben noto malware che viene trasmesso tramite massicce campagne di invio di email infette di phishing. Ma la pace, proprio sotto Natale, è finita: i ricercatori di Cofense hanno infatti intercettato una forte ripresa della campagna di phishing, con oltre 100.000 email inviate al giorno. Le email sono in lingua inglese, tedesca, spagnola e purtroppo anche italiana.
Nato nel 2014 come “semplice" trojan bancario, nel tempo Emotet è stato affinato parecchio e oggi è in grado di fare molti più danni che in passato, anche perché quando entra in azione scarica altri virus. According to researchers, at the moment Emotet is downloading TrickBot, another famous and dangerous malware whose main consequence is to attack the user's bank account. Both viruses, therefore, have the same target and the strategy is clear: hackers play several cards at the same time in order to steal money from you.
Emotet and TrickBot: what you risk
Emotet is also known as Geodo or Mealybug (all variants of the same viral strain) and it is a powerful spying tool: once it enters the computer, it searches for personal information, especially the login data (username and password) of websites.
If the computer is also used to access the bank account online, then Emotet can also find the data of this account with the consequences that everyone can guess: it sends the data to the control server, i.e. to the hackers who will then use it to access our account and start making transfers to empty it.
Emotet, then, when it infects a computer it turns it into a zombie at its disposal by placing it in a "botnet": a network of computers from which other emails start to spread the infection further. Typical Emotet botnets are Epoch 1, Epoch 2 and Epoch 3.
TrickBot is perhaps even more dangerous than Emotet: it is sophisticated trojan first developed in 2016 as banking malware and it inserts infected computers into a botnet, just like Emotet, but in addition it also manages to access the PC's UEFI/BIOS firmware and infect it.
The UEFI (or BIOS, if the computer is very old) is a memory that contains the basic parameters to boot the PC and is read to turn on the computer and enable it to launch the operating system. A virus that infects the UEFI, therefore, is able to boot long before any antivirus can run.
How to defend yourself against Emotet and Trickbot
The new Emotet/TrickBot campaign, like all previous ones, is handled through massive sendings of phishing emails that invite the user to download a file or click on a link. The attached files are almost always in Microsoft 365 format (usually Word files) and as soon as they are opened they ask the user to enable macros.
If the user falls for this, he is screwed: the file runs a script that starts the Emotet infection. The virus then connects to the Internet to download TrickBot as well. Once entered, the two viruses have in front of them a prairie to conquer, with the damages already described.
The only way to defend yourself from Emotet and Trickbot, in addition to the installation of an excellent antivirus, is always to not fall into the trap of phishing: never open the attachment and never click on the link, unless we are very sure that it is a clean email.