Cheat sheets

BSI: Emotet attacks rising

Share this with people that should know this:

The BSI in Germany is urging companies and citizens to be aware of an advanced persistent threat which is using the Emotet malware. BSI has noticed that fake emails on behalf of colleagues, business partners or acquaintances contain the Emotet malware.

The Emotet malware is capable of affecting entire networks once it has breached an environment


What is Emotet and what makes this malicious software so dangerous?

Behind Emotet hide cyber criminals who have adapted and automated the methods of highly professional APT attacks. The so-called ” Outlook Harvesting ” Emotet able authentic-looking is spam – mails to send. 

The malware reads out contact relations and, for some weeks, e-mail content from the mailboxes of already infected systems. It automatically uses this information for retransmission so that recipients receive fake emails from senders with whom they have recently been in contact.

Emotet also has the ability to reload more malicious software as soon as it infects a computer. These malicious programs allow attackers to read out access data and have complete remote access to the system. 

Most recently, the banking Trojan ” Trickbot ” was reloaded, inter alia, via the read access of access data (Mimikatz) and SMB vulnerabilities ( Eternal Blue / Romance) can spread independently in a network. 

Depending on the network configuration, it has come to failure of complete corporate networks. Because of constant modifications, the malicious programs are initially not recognized by standard virus protection programs and make profound changes to infected systems. Cleanup attempts are usually unsuccessful and involve the risk of parts of the malware remaining on the system.

Fake emails on behalf of colleagues, business partners or acquaintances – Malicious software that paralyzes entire corporate networks: Emotet is considered one of the most dangerous threats by malicious software worldwide and caused by the reloading of other malicious programs currently high damage in Germany. 

The Federal Office for Information Security ( BSI ) has received a conspicuous accumulation of reports on serious IT security incidents related to Emotet in recent days . 


In individual cases, it is in the affected by failures of the entire IT Infrastructure, critical business processes have been reduced, causing millions of dollars worth of damage. 

Emotet continues to be distributed through large-scale spam campaigns, posing an acute threat to businesses, government agencies and home users.

Outlook harvesting by Emotet

Through the so-called ” Outlook Harvesting ” Emotet is able to send authentic-looking spam mails . These reads the malicious software contact relationships and has recently also email -Inhalte from the mailboxes already infected systems. This information is used by the perpetrators to further spread the malicious program in subsequent spam campaigns, so that the recipients receive fake emails from senders with whom they were recently in contact. 


The BSI therefore expects a further increase in well-made, automated social engineering in the futureAttacks of this kind, which are barely identifiable as such for the recipient. This method is also suitable for the use of highly specialized spear-phishingattacks on particularly high-quality targets.

Emotet also has the ability to reload malicious software as soon as it infects a computer. These malicious programs allow attackers to read out access data and have complete remote access to the system.


How can organizations protect themselves from Emotet?

Although there can be no one hundred percent certainty, there are still a number of protective measures that can be implemented both at organizational and technical level and significantly reduce the risk of infection. These include, in particular, protective measures for the secure use of e-mails . Please discuss the feasibility of these steps in case of doubt with your IT department or IT service provider.

The following measures MUST be implemented within the IT infrastructure from the point of view of the BSI :

  • Regular information and awareness of users for the dangers of e-mail attachments or links – including the note, even with supposedly known senders (see also fake sender addresses) Attachments or links or about these downloaded files in case of doubt only after consultation with the sender open (especially no office documents). Users should immediately report any abnormalities to the IT operation and IT security officer.
  • Timely installation-provided by the manufacturers security updates for operating systems and application programs (particularly web browser , browser – plugins , e-mail – clients , office applications, PDF -Dokumentenbetrachter) – ideally automated via a central software distribution.
  • Use centrally administered AV – Software . Regularly checking that updates to AV signatures are successfully rolled out on all clients.
  • Regular execution of multi-level backups , especially offline backups . A backup always includes the planning of the restart and a test of the return of data.
  • Regular manual monitoring of log data, ideally supplemented with automated monitoring with alarms for serious anomalies.
  • Network segmentation (separation of client / server / domain controller networks and production networks, each with isolated administration) by different trust zones, application areas and / or regions.
  • Errors by internal users pose the greatest threat. All user accounts must therefore have only the minimum permissions required to complete the task.

Additional reading:

Share this with people that should know this: