September 17, 2020
Digital Arts Inc.
Release Information Analysis of the Reemerged Malware Strain "Emotet"
- "i-Filter®" and "m-Filter®" Block the Latest Malware Techniques, Including Password Encrypted Zip Files -
Information security solution provider Digital Arts Inc. (headquarters: Chiyoda-ku, Tokyo, Japan; CEO: Toshio Dogu; hereinafter referred to as “Digital Arts”; Code 2326) is pleased to announce that we have released information analysis of e-mails and URLs that are thought to have infected computers with the malware strain "Emotet" that ran rampant in the latter half of 2019 and reared its head again in July 2020.
After the activity of the continually evolving malware strain "Emotet" was first reported in 2014, we were able to confirm a case of infection via a download from a falsified website in September 2019. However, the virus continued to spread through Japan while changing its method of attack until around December 2019 *1. "Emotet" once again reared its head around July 2020, and a warning was sent out by the Information-technology Promotion Agency (IPA) and the JPCERT Coordination Center *2.
The method of attack remains the same. It infects your computer by executing macros from Microsoft Word files attached to e-mails or from Microsoft Word files downloaded through URLs included in the e-mail or the attached files. From the beginning of September 2020, a number of cases where a new method using password encrypted ZIP files have also been seen *3.
With the latest features of our web security product "i-FILTER" Ver.10 and our mail security product "m-FILTER" Ver.5, we were able to protect users from "Emotet."
On our website, we have released the specific features of the subject, attachment, URL, etc. of an email used in an attack and through the observation of action logs on September 2 was seen to be spreading "Emotet."
It is thought that one factor in the damaging spread of "Emotet" that has led to there being "signs of an outbreak" is that the names, e-mail addresses, e-mail content, etc. of actual people with whom the recipient has exchanged e-mails in the past are used by the attack e-mail, and then opened when the recipient mistakenly thinks they are necessary for work. As there is the possibility that "Emotet" will continue to change its form and use cleverly designed attack emails to spread further, it is necessary to utilize the information we gathered and continue being vigilant in the future.
Additionally, as it is no longer possible for the human eye to discern such attack emails, we recommend taking the appropriate precautions with a product designed for this purpose.
Information Analysis of the Malware Strain "Emotet"
The following is available on our corporate website.
- Email subject
- Attachment file name
- HASH values of attachments
- Countermeasure procedure
- Infection process
- URL used to communicate with when executing the macro
- Support status of our products
How our products deal with the malware strain "Emotet"
In the past, features included in our "i-FILTER" and "m-FILTER" products have blocked threats from these malicious e-mails and protected users.
Features that Blocked "Emotet"
The main infection routes of Emotet are macros executed via Microsoft Word files attached to e-mails (route 1) and macros executed after a URL included in e-mail attachments or in the body of the e-mail have been accessed and a Microsoft Word file has been downloaded (route 2 & 3). However, we have also been able to confirm a new route that utilizes password encrypted ZIP files.
Features and Characteristics of the Web Security Product "i-FILTER" Ver.10
Uses the "whitelisting" feature to filter and allow access only to websites judged to be safe.
- Covers websites that can be searched in Japan, allows access only to URLs of websites that have been confirmed to be safe by Digital Arts, and blocks all URLs that cannot be confirmed to be safe or dangerous unknown URLs.
- Registering URLs required for business in advance and setting access permission/non-permission by filtering according to the operation rules of your organization or company is also possible.
The "whitelisting" feature and "download filter function" reliably block Emotet downloads.
The "whitelisting" feature blocks access to Emotet download URLs that excucuted macros lead to. Additionally, even if malware is directly embedded in a legitimate website that has been tampered with, the "download filter function" blocks malware downloads and prevents infection from the Emotet virus. Also, even if e-mails using the new "password encrypted ZIP file technique", which was first seen in September, they will be forcibly inspected, and any forged information will be found and blocked.
Features and Characteristics of the E-Mail Security Product "m-FILTER" Ver.5
Uses the "whitelisting" feature that allows only e-mails judged to be safe and blocks malicious e-mails.
- Collects a combination of secure "IP address" and "e-mail domains," and can only receive e-mails from senders that are determined to be secure.
- Discerns and isolates e-mails with forged sender addresses, attachments, and text. The e-mails can be rendered harmless by deleting attachments and invalidating links, etc.
The "forced attachment inspection function" blocks even e-mails using the latest malicious techniques from reaching recipients.
Blocks e-mails containing the old style of macro embedded Word or Excel attachments, which is a commonly used Emotet technique.
Web Security Product "i-FILTER" details
E-Mail Security Product "m-FILTER" details
- *1 Please refer to our security report below for details.
- *2 See below for information from IPA about e-mails with the intent of infecting computers with the computer virus "Emotet" (last updated September 2)
- *3 See below for information from JPCERT about the spread of Emotet malware and its new methods of attack (last updated September 4)
- Digital Arts, Inc. Overview
- Digital Arts, Inc. is an information security solution provider focused on the development and sales of security software for web, e-mail, files and others.
Since its founding in 1995 the company philosophy has been "Contributing to a safer, better, more convenient internet lifestyle" and since developing web filtering software to prevent the browsing of harmful information on the internet, the company has been promoting internet security products to companies, the public sector and homes everywhere.