A new Spam email campaign making the rounds in Germany are delivering a new variant of a powerful banking malware, a financial threat designed to steal users’ online banking credentials, according to security researchers from Microsoft.
The malware, identified as Emotet, was first spotted last June by security vendors at Trend Micro. The most standout features of Emotet is its network sniffing ability, which enables it to capture data sent over secured HTTPS connections by hooking into eight network APIs, according to Trend Micro.
Microsoft has been monitoring a new variant of Emotet banking malware, Trojan:Win32/Emotet.C, since November last year. This new variant was sent out as part of a spam email campaign that peaked in November.
Emotet has been distributed through spam messages, which either contain a link to a website hosting the malware or a PDF document icon that is actually the malware.
HeungSoo Kang of Microsoft’s Malware Protection Center identified a sample of the spam email message that was written in German, including a link to a compromised website. This indicates that the campaign primarily targeted mostly German-language speakers and banking websites.
The spam messages are written in such a way that it easily gain the attention of potential victims. It could masquerade as some sort of fraudulent claim, such as a phone bill, an invoice from a bank or a message from PayPal.
Once it infect a system, Emotet downloads a configuration file which contains a list of banks and services it is designed to steal credentials from, and also downloads a file that intercepts and logs network traffic.
Network sniffing is especially a disturbing part of this malware because in that a cyber criminal becomes omniscient to all information being exchanged over the network. In short, users can go about with their online banking without even realizing that their data is being stolen.
Emotet will pull credentials from a variety of email programs, including versions of Microsoft’s Outlook, Mozilla’s Thunderbird and instant messaging programs such as Yahoo Messenger andWindows Live Messenger.
All the stolen information is sent back to Emotet’s “command and control (C&C) server where it is used by other components to send spam emails to spread the threat,” Kang wrote. “We detect the Emotet spamming component as Spammer:Win32/Cetsiol.A.”
Spam emails containing Emotet malware are difficult for email servers to filter because the messages actually originate from legitimate email accounts. Therefore, typical anti-spam techniques, such as callback verification, won’t be applicable on it.
However, there is one technique to stop these spam messages — just reject all those messages that come from bogus accounts by checking whether the account from which you have received the spam email really exists or not.
Users are also advised not to open or click on links and attachments that are provided in any suspicious email, but if the message is from your banking institution and of concern to you, then confirm it twice before proceeding.