Japan CERT Releases EmoCheck to Detect New 64-bit Version of Emotet Malware

Japan CERT has released a new version of its EmoCheck utility that can detect new 64-bit versions of the Emotet malware.

https://github.com/JPCERTCC/EmoCheck/releases

Here is Compatible update with Emotet’s April 2022.

Emotet is one of the most actively distributed malware that spreads via email using phishing emails with malicious attachments such as Word/Excel documents, Windows shortcuts, ISO files, and password-protected ZIP files

Phishing emails use clever lures to trick users into opening attachments, such as return chain letters, shipping notices, tax forms, financial reports, and year-end party invitations.

Once the device is infected, Emotet sniffs the user’s email and typically uses it for its next reply-chain phishing attack, downloading more malware payloads to the computer.

Furthermore, since malware can lead to data theft and ransomware attacks, it is critical to quickly detect Emotet malware infections before they cause further damage.

EmoCheck updated for 64-bit version

In 2020, Japan CERT (Computer Emergency Response Team) released a free tool called EmoCheck to scan computers for Emotet infection.

If detected, display the full path to the malware infection so it can be removed.

But in early April 2022, Emotet switched to a 64-bit version, so the new 64-bit version of Emotet can no longer be detected.

JPCERT has released EmoCheck 2.2 which supports the new 64-bit version and can detect them as shown below. EmoCheck to detect Emotet malware infection

To check if you are infected with Emotet, you can download the EmoCheck utility from the Japan CERT GitHub repository.

After downloading, double-click on emocheck_x64.exe (64-bit version) or emocheck_x86.exe (32-bit version), depending on what you have downloaded.

EmoCheck scans for Emotet Trojans and, if malware is detected, displays the process ID under which it is running and the location of the malware DLL.

Emotet is currently installed in a random folder under C: \Users[username]⇄AppData⇄Local.

The Emotet malware is a DLL, but with a random 3-letter extension such as .bbo or .qvp instead of a DLL extension.

An example of the installed Emotet malware infection is shown below.

  • Emotet is installed under %LocalAppData%.
  • Emotet is installed under %LocalAppData%.

If you run EmoCheck and find that you are infected, you must immediately open the Task Manager and terminate the listed process (usually regsvr32.exe).

You should then scan your computer with reputable anti-virus software to make sure no other malware is already installed on the device.

This tool is useful for Windows administrators and can be run at login to detect Emotet infections on the network.

Leave a Reply

Your email address will not be published.