Emotet spam campaign targets banking credentials

A new variant in the Win32/Emotet family is targeting banking credentials with a new spam email campaign. The emails include fraudulent claims, such as fake phone bills, and invoices from banks or PayPal.

Since November 2014 we have been monitoring a new variant: Trojan:Win32/Emotet.C. This variant was part of a recent spam campaign that peaked in November. Our telemetry indicates this campaign primarily targeted German-language speakers and banking websites.

infections by country

Figure 1: Emotet infections by country (last 30 days)

As the sample indicates, the spam email messages are written in German and contain a link to a compromised website.

Spam email

Figure 2: A spam email message linking to a website that downloads Emotet (German)

The message, when translated into English, reads:

Your deposit

Good day,

Your statement has been cancelled before we recorded contact with the bank. More details are abailable here: your deposit.

With warm regards, the Volksbank team.

The linked website can download a .zip file that contains an executable file with a long file name to hide its .exe extension such as:

  • de_0000239029_rechnung_scan_hp_28_0000000904_page_2_10_01_05_id_00291002098.exe
  • E-Card_zu_Weichnachten_scan_foto_2834792347_12_2014_21093812_000129_001_004_002910.exe
  • Informationen_Kontobewegung_dezember_2014_de_20_8139_237_90109238_000129_000028_05.exe

The file also uses a PDF document icon in an attempt to trick victims into opening the file and running the malware.

PDF icon

Figure 3: Long file name with PDF icon for deception

The spam emails are difficult for email servers to filter because the spamming component uses compromised email accounts to send malicious links. Emotet’s spam module (detected as Spammer:Win32/Cetsiol.A) logs into email services using the stolen account name and passwords to send the spam. This means traditional anti-spam techniques, such as callback verification, won’t be applicable because the email is sent from a vetted or legitimate email address.

Unlike Windows Explorer, most file archive software don’t warn users when they execute a file in an archive that’s been downloaded from the Internet. In this case the Emotet binaries are delivered in a .zip file so the installed default file archive software such as Windows Explorer, WinRar or WinZip will open the file.

Once run, Trojan:Win32/Emotet.C monitors network activity to steal online banking credentials when an infected user logs on to banking websites. It can log credentials from URLs with any of the following paths, and this list could be updated at any time:

  • /ach//nubi/
  • /wire/
  • /wires/
  • banking.bank1saar.de
  • banking.berliner-bank.de
  • banking.flessabank.de
  • banking.gecapital.de
  • banking.gecapital.de
  • banking.sparda.de
  • commerzbank.de
  • commerzbank.de
  • de/portal/portal
  • finanzportal.fiducia.de
  • kunde.comdirect.de
  • meine.norisbank.de
  • ptlweb/WebPortal
  • raiffeisen.at
  • telekom.de
  • vodafone.de
  • wellsfargo.com

On infected machines, the Win32/Emotet family can also steal email account user names and passwords from installed email or messaging software. We detect the download component as PWS:Win32/Emotet.E, and have seen it try to extract user names and passwords stored in the following software:

  • Eudora
  • Gmail Notifier
  • Google Desktop
  • Google Talk
  • Group Mail
  • IncrediMail
  • Mozilla Thunderbird
  • MSN or Windows Live Messenger
  • Netscape 6 and Netscape 7
  • Outlook 2000, Outlook 2002, and Outlook Express
  • Windows Mail and Windows Live Mail
  • Yahoo! Messenger

It sends the stolen information back to its command and control (C&C) server where it is used by other components to send spam emails to spread the threat. We detect the Emotet spamming component as Spammer:Win32/Cetsiol.A.

The emergence of this new variant demonstrates the importance of keeping your Microsoft security software up to date, as well as enabling Microsoft Active Protection Service Community (MAPS). Customers using MAPS can take advantage of Microsoft’s cloud protection and, therefore, a faster detection and removal.

We are closely monitoring this and related threats using the telemetry we receive from our customers, which allows us to respond faster and remediate more effectively.

HeungSoo (David) Kang

Comments (1)

  1. adwbust says:

    Why only reactive? When malware disables MAPS and blocks access to spynet servers, MSE will be blind (no DSS/cloud) and mute (no telemetry sent). MSE self/integrity protection isn't its strong point. How can it protect the user if it can't protect itself?
    Does MSE even have behavior rules against suspicious tampering? Does MSE check its integrity on log on/start up? Will it be able to repair itself? How will it deal with the av killer?

    MSE is also not good against spotting rootkits, droppers, ad/spy and remediation (infector, in general aka traces). 🙁