Threat Alert: Emotet Malware on the Move

emotet-trojan2015’s not even old enough to get its driver’s license or go to a bar, and we’re already seeing renewed threats of the malware variety. Spammers aren’t waiting for the Ides of March to unleash new waves of malware-laden email, and news out of Germany this week confirms it: Emotet is on the move.

It shouldn’t come as any surprise to anyone, though. Spamhaus and others have been reporting a surge in malware; the only difference we’re seeing is that instead of attaching the nasty stuff to emails, spammers have opted for toxic links, perhaps because people have gotten wise to the dangers of attachments from unknown sources. It’s a bit baffling why these same people think links are any safer to click on, but if history has shown us anything, spammers and cybercrooks are always ahead of the curve, and they always give their ‘audience’ what they ‘want.’

When news of a variant of the Emotet banking virus broke, all we could do is nod and steel ourselves for the grim reality. 2015’s going to be a rough year. SC Magazine is reporting that Emotet, which arrived on the scene in June of last year, is rearing its ugly head once again. The malware “downloads a configuration file containing information on the banks it is targeting, and also downloads a file that intercepts and logs network traffic,” SC Magazine reported in 2014. “One of the most standout features of EMOTET is its network sniffing ability, which enables it to capture data sent over secured HTTPS connections.”

The banking malware hooks into network APIs and monitors network traffic. This includes PR_OpenTcpSocket, PR_Write, PR_Close, PR_GetNameForIdentity, Closesocket, Connect, Send, and WsaSend. “Network sniffing makes it easier to skirt detection and enables EMOTET to operate without the infected user ever knowing…other similar malware typically use form field insertion and phishing pages to pilfer data.” HeungSoo (David) Kang of Microsoft’s Malware Protection Center (MMPC) writes in a blog post that this new variant “in the Win32/Emotet family is targeting banking credentials with a new spam email campaign. The emails include fraudulent claims, such as fake phone bills, and invoices from banks or PayPal.”

Kang points out that the spam emails are “difficult for email servers to filter because the spamming component uses compromised email accounts to send malicious links. Emotet’s spam module (detected as Spammer:Win32/Cetsiol.A) logs into email services using the stolen account name and passwords to send the spam. This means traditional anti-spam techniques, such as callback verification, won’t be applicable because the email is sent from a vetted or legitimate email address.” Once it executes, Trojan:Win32/Emotet.C monitors network connections and when infected users log on to banking website, it steals their online banking credentials. It can log credentials from a large number of URLs, and you can find that list on Kang’s blog post. A few notables are Wells Fargo Bank, Vodafone, and GE Capital.

This particular variant appears to be targeted at German speakers, and SC Magazine points out that “In the past 30 days, nearly half of Emotet infections have been in Germany; however, users in Austria, Switzerland, Hungary, Poland, the Netherlands, Slovenia, Czech Republic, Denmark and Slovak Republic have also been affected.”

Adam Kujawa, head of malware intelligence at Malwarebytes, told SC that the attackers could alter their strategy and target users and banks in the U.S. Kujawa says that “it would be a matter of modifying the malware to look out for U.S. email and bank keywords and maybe even modify the practices of stealing the information since many banks in the U.S. don’t follow the same security practices in other countries.”

A sample in Kang’s post pretends to be from Volksbank and directs recipients to click on a link to obtain more details on a deposit or statement:

The message, when translated into English, reads:

Your deposit

Good day,

Your statement has been cancelled before we recorded contact with the bank. More details are abailable here: your deposit.

With warm regards, the Volksbank team.

The link’s payload is a zip file which is downloaded. It contains an executable with a long file name to hide the fact that it’s an .exe file. The file also uses a PDF file icon, Kang reports, to hide the fact that the file is an executable. Win32/Emotet can also steal email account information from whatever email or messaging software is installed on infected systems, and any stolen information is routed back to Emotet’s C&C server to be used for spreading the infection.

Kang emphasizes the importance of keeping security software up-to-date, good advice for all of us, but vigilance is important, too. Keep your users informed and remind them that links are just as dangerous as attached files.