We have heard a lot about various distributed malware. Emotet Trojan is also one of those. The Emotet Trojan is currently one of the most active. It is spread through phishing emails with malicious Word document attachments. There is a new utility named Emo check tool, in trend which has been released by Japan CERT (computer emergency response team) that allows Windows users to easily check if they are infected with the Emotet Trojan or not? These emails might contain shipping notices, holiday party invites, invoices, and even information about the Coronavirus. They are in the hopes that you will be enticed, trapped or tricked, while opening attachment. Emotet works in further chains. The solution comes with the name of the EmoCheck tool, which examines for Emotet malware infection on your computer. It works significantly well. Once installed in the system, Emotet will use the infected computer to further pass spam to other potential victims. This might also download other malware onto the computer. Emotet is especially dangerous as it usually downloads and installs the Trickbot banking Trojan. Trickbot Trojan further steals saved cookies, credentials, SSH keys, browser history, and much more. It further extends its approach to spread to other computers on the network. TrickBot will also open a reverse shell if the network is of high value. Reverse shell will be back to the Ryuk Ransomware operators who will encrypt the network as a final payload. Emo chick tool is of much use due to its severity. Emocheck victims quickly find and remove the Emotet Trojan before it can download and install other malware onto an infected computer. Once Emotet is discovered to be on your device or the computer, the Trojan comes into force. The Trojan not only loads Trick bot, but spyware also spies on online banking access data. The BSI warns that Emot also increases the chances of encryption. In addition to this, if it finds, it might drop backups. Consequently, it will increase the willingness of the blackmailed to pay. The authentic-looking spam emails are as generated as they pick up information and relationships from fake emails. It is so successful email spam.
How to check for the Emotet Trojan using EmoCheck?
Using this Emocheck tool is quite easy. Whenever Emotet is installed by any malicious attachment, first, it will be stored in a semi-random folder under %LocalAppData%. One may think of why this is a semi-random folder. It is semi-random because it will not use real random characters, but rather a folder name. This folder name will be built out of two keywords from the list. List includes (bid, format, thrd, taskmgr, timeout, vmd, ctl, bta, shlp, duck, mfidl, targets, ptr, khmer, purge, metrics, acc, inet, msra, query, roam, etw, mexico, basic, url, createa, blb, pal, cors, send, devices, radio, avi, exce, dbt, pfx, rtp, edge, mult, clr, wmistr, ellipse, vol, cyan, ses, guid, symbol, driver, sidebar, restore, msg, volume, cards, shext, wce, wmp, dvb, elem, channel, space, digital, pdeft, violet, thunk). For an example, Emotet can be installed under the ‘channelspace’ or ‘symbolguid’ folder. These folder names are a combination of two of the keywords from the above list.
How to check if you are infected with Emotet or not?
Firstly, download the EmoCheck utility from the Japan CERT GitHub repository. After download, extract the zip file and double-click on the emocheck_x86.exe for the 32-bit version or on emocheck_x64.exe for the 64-bit version, depending on what you downloaded. Once after properly running, EmoCheck will scan for the Emotet Trojan. If found, an alert will be generated. It will also explain, location of the malicious file, and what process ID, it is running under. This whole information will also be saved to a log file located on the path of emocheck.exe.
What to do, if you are infected.
When you run EmoCheck and conclude that you are infected, one should immediately open Task Manager and terminate the listed process. Secondly, scan your computer with any reputable antivirus software to make sure other malware has not already been downloaded and installed onto the computer. Another usability of the tool is for network administrators to use as a part of a login script to quickly find machines. These machines are the once’s which have been infected with Emotet to prevent a full-blown ransomware attack. The Trojan can be removed by terminating the processes from Task Manager. For future prevention, enable tamper protection in Microsoft Security. Also, make sure that you never open an email that asks to enable credentials to view what is inside the document. So overall, the EmoCheck tool tracks down the nasty Emotet Trojan.