New variant of Emotet banking trojan employs email harvesting feature

Banking trojan Emotet is back with the newest spam campaign: can also steal email content

The newest spam campaign from Emotet raises researchers attention because it affects previously infected systems. More than ten thousand servers at risk because of the email exfiltration module.

A new email spam campaign is spreading the Emotet banking Trojan to victims' devices all over the U.S, Turkey, South Africa, and the UK. ESET researchers reported this month that new email-harvesting module is included in the latest version, in addition to its data gathering and malware-spreading capabilities.

Emotet botnet was under the radar for quite a while since its release in 2014 until this large-scale campaign. However, researchers noticed increased detection rates of malware at the beginning of November 2018.^[1]

Based on the subject line in these spam campaign emails,^[2] the primary target is English and German-speakers. The email contains a malicious Word or PDF document as an attachment that has a hyperlink which initiates a download of malicious script. The example of the malicious email reads the following:

Hello,

You scheduled a payment of $2,900.54 for your account ending in 2922.

For details of a recent payment made to you, please see the attached paymen=remittance advice.

If you have any queries or questions, our contact details are printed on th=remittance advice.

Payment_remittance_Advice_4463427.pdf

Bankofamerica. Forward Thinking.

Head of Bus banking Customer Support

The malicious info-stealing campaign starts with the download of an infected file

The spam email campaign begins when the victim downloads and opens the document attached to the email. These phishing emails are carefully crafted by criminals so that they may look like legitimate ones, and people tend to follow the download instructions. By doing so, users enable macros^[3] in the document or gets redirected to a malicious site with a direct download link.

After this, malicious Emotet payload is installed and launched on the system. Then it automatically makes changes that ensure the persistence on the device and reports the successful infiltration to the C&C server.^[4] Malware then receives instructions from the server on what needs to be downloaded next.

Emotet then performs several different tasks, including self-propagation, port forwarding, as well as gathering sensitive information from the computer user.

As its secondary payload, Emotet drops IcedID banking trojan which manipulates user interface within the browser, making users insert their credentials, revealing them to cybercriminals immediately. Additionally, the botnet can spread the infamous TrickBot malware.^[5]

Researchers believe it is the start of a more dangerous attack

Emotet malware was known as a banking trojan for a while, but right now it spreads around the world with more sophisticated capabilities and infects victims' devices using crafted emails. This modular banking trojan harvests email messages from the infected system, but it also can steal information like:

• logins and passwords;
• email addresses;
• banking credentials;
• full names;
• other personally identifiable data.

The most recent Emotet's appearance proved that the developers behind malware are skilled individuals, and are highly likely to improve the functionality of the malicious code, including more advanced features over time. Researchers expect that Emotet team is preparing a more dangerous attack in the future, as ESET report states:

This recent spike in Emotet activity just goes to show that Emotet continues to be an active threat – and an increasingly worrying one due to the recent module updates.