A new utility has been released by Japan CERT (computer emergency response team) that allows Windows users to easily check if they are infected with the Emotet Trojan.
The Emotet Trojan is one of the most actively distributed malware that is spread through phishing emails with malicious Word document attachments.
These emails pretend to be invoices, shipping notices, account reports, holiday party invites, and even information about the Coronavirus in the hopes that you will be enticed, or tricked, into opening the attachment.
Once installed, Emotet will utilize the infected computer to send further spam to potential victims and also download other malware onto the computer.
Emotet is particularly dangerous as it commonly downloads and installs the Trickbot banking Trojan, which steals saved credentials, cookies, browser history, SSH keys, and more while it attempts to spread to other computers on the network.
If the network is of high-value, TrickBot will also open a reverse shell back to the Ryuk Ransomware operators who will encrypt the network as a final payload.
Due to its severity, it is important that victims quickly find and remove the Emotet Trojan before it can download and install other malware onto an infected computer.
Using EmoCheck to check for the Emotet Trojan
When Emotet is installed by a malicious attachment, it will be stored in a semi-random folder under %LocalAppData%.
It is semi-random because it will not use random characters, but rather a folder name built out of two keywords from the following list:
duck, mfidl, targets, ptr, khmer, purge, metrics, acc, inet, msra, symbol, driver, sidebar, restore, msg, volume, cards, shext, query, roam, etw, mexico, basic, url, createa, blb, pal, cors, send, devices, radio, bid, format, thrd, taskmgr, timeout, vmd, ctl, bta, shlp, avi, exce, dbt, pfx, rtp, edge, mult, clr, wmistr, ellipse, vol, cyan, ses, guid, wce, wmp, dvb, elem, channel, space, digital, pdeft, violet, thunk
Once downloaded, extract the zip file and double-click on the emocheck_x64.exe (64-bit version) or emocheck_x86.exe (32-bit version) depending on what you downloaded.
Once running, EmoCheck will scan for the Emotet Trojan and alert you if it is found, what process ID it is running under, and the location of the malicious file.
This information will also be saved to a log file located at [path of emocheck.exe]\yyyymmddhhmmss_emocheck.txt.
If you run EmoCheck and discover that you are infected, you should immediately open Task Manager and terminate the listed process.
You should then scan your computer with reputable antivirus software to make sure other malware has not already been downloaded and installed onto the computer.
This tool could also be useful for network administrators to use as part of a login script to quickly find machines that have been infected with Emotet to prevent a full-blown ransomware attack.