New Variant of Emotet Banking Malware targets German Users
A new Spam email campaign making the rounds in Germany are delivering a new variant of a powerful banking malware, a financial threat designed to steal users’ online banking credentials, according to security researchers from Microsoft.
The malware, identified as Emotet, was first spotted last June by security vendors at Trend Micro. The most standout features of Emotet is its network sniffing ability,
which enables it to capture data sent over secured HTTPS connections by
hooking into eight network APIs, according to Trend Micro.
Microsoft has been monitoring a new variant of Emotet banking malware, Trojan:Win32/Emotet.C, since November last year. This new variant was sent out as part of a spam email campaign that peaked in November.
Emotet has been distributed through spam messages, which either contain a
link to a website hosting the malware or a PDF document icon that is
actually the malware.
HeungSoo Kang of Microsoft’s Malware
Protection Center identified a sample of the spam email message that
was written in German, including a link to a compromised website. This
indicates that the campaign primarily targeted mostly German-language
speakers and banking websites.
The spam messages are written in such a way that it easily gain the
attention of potential victims. It could masquerade as some sort of
fraudulent claim, such as a phone bill, an invoice from a bank or a
message from PayPal.
Once it infect a system, Emotet downloads a configuration file which
contains a list of banks and services it is designed to steal
credentials from, and also downloads a file that intercepts and logs
network traffic.
Network sniffing is especially a disturbing part of this
malware because in that a cyber criminal becomes omniscient to all
information being exchanged over the network. In short, users can go
about with their online banking without even realizing that their data
is being stolen.
Emotet will pull credentials from a variety of email programs, including versions of Microsoft’s Outlook, Mozilla’s Thunderbird and instant messaging programs such as Yahoo Messenger and Windows Live Messenger.
All the stolen information is sent back to Emotet’s "command and control (C&C) server where it is used by other components to send spam emails to spread the threat," Kang wrote. "We detect the Emotet spamming component as Spammer:Win32/Cetsiol.A."
Spam emails containing Emotet malware are difficult for email servers to
filter because the messages actually originate from legitimate email
accounts. Therefore, typical anti-spam techniques, such as callback
verification, won't be applicable on it.
New Variant of Emotet Banking Malware targets German Users
Reviewed by Unknown
on
1/02/2015
Rating: