Infected emails, Italian Government warns citizens

The Italian Government's Computer Security Incident Response Team raises the alarm: Emotet malware is circulating again

A wave of infected emails is raging in Italian inboxes. The Italian Government, through the CSIRT (Computer Security Incident Response Team), has communicated to the citizens how the diffusion is spreading and which are the good practices to follow for the email management, in order to avoid possible risks for the users.

According to the CSIRT, the culprit at the center of the malspam campaign is a face already known to the computer experts. In fact, it is the Emotet malware, first detected in 2014 and also known as Godo and Mealybug. Born as a trojan for stealing banking credentials, Emotet has grown over time to become one of the top cyber threats of 2019. The first to detect the infected emails and to break the news was JAMESWT, a cyber security hunter who also showed the shady process followed by Emotet in order to spread in a devious way in the computers of bona fide users or those with less computer skills who, inadvertently, could start the process of contagion on their computers in a few clicks.

Infected emails: how Emotet works

The functioning of Emotet is devious and that is why it can prove particularly dangerous. The vehicle of the malware in question is a password-protected .zipper attachment received via email. The text of the accompanying message is very short and only contains the numerical password needed to open the file and a fictitious name.

Once unpacked, the attachment shows a Word file that in order to work requires the attacker to enable a macro - a procedure that initiates the infection process by running PowerShell code. After being activated, Emotet is downloaded on the computer through the connection to the Epoch 1 botnet, used by cyber criminals to act illegally behind the backs of unsuspecting users.

Emotet: how to fight it

To avoid the risk of infection by Emotet, the CSIRT has provided Compromise Indicators (IoC) to be implemented on its security devices. This operation would allow the most experienced users to avoid problems at least until the next evolution of the malicious file.

For less experienced users, however, there is only one golden rule to follow: avoid opening file attachments coming from unknown senders and do not authorize computer requests if you do not know, or have not been informed beforehand, the processes triggered by what may seem at first sight a simple click.