A new variant in the Win32/Emotet family is targeting banking credentials with a new spam email campaign. The emails include fraudulent claims, such as fake phone bills, and invoices from banks or PayPal.
Since November 2014 we have been monitoring a new variant: Trojan:Win32/Emotet.C. This variant was part of a recent spam campaign that peaked in November. Our telemetry indicates this campaign primarily targeted German-language speakers and banking websites.
Figure 1: Emotet infections by country (last 30 days)
As the sample indicates, the spam email messages are written in German and contain a link to a compromised website.
Figure 2: A spam email message linking to a website that downloads Emotet (German)
The message, when translated into English, reads:
Your statement has been cancelled before we recorded contact with the bank. More details are abailable here: your deposit.
With warm regards, the Volksbank team.
The linked website can download a .zip file that contains an executable file with a long file name to hide its .exe extension such as:
The file also uses a PDF document icon in an attempt to trick victims into opening the file and running the malware.
Figure 3: Long file name with PDF icon for deception
The spam emails are difficult for email servers to filter because the spamming component uses compromised email accounts to send malicious links. Emotet's spam module (detected as Spammer:Win32/Cetsiol.A) logs into email services using the stolen account name and passwords to send the spam. This means traditional anti-spam techniques, such as callback verification, won't be applicable because the email is sent from a vetted or legitimate email address.
Unlike Windows Explorer, most file archive software don’t warn users when they execute a file in an archive that’s been downloaded from the Internet. In this case the Emotet binaries are delivered in a .zip file so the installed default file archive software such as Windows Explorer, WinRar or WinZip will open the file.
Once run, Trojan:Win32/Emotet.C monitors network activity to steal online banking credentials when an infected user logs on to banking websites. It can log credentials from URLs with any of the following paths, and this list could be updated at any time:
On infected machines, the Win32/Emotet family can also steal email account user names and passwords from installed email or messaging software. We detect the download component as PWS:Win32/Emotet.E, and have seen it try to extract user names and passwords stored in the following software:
- Gmail Notifier
- Google Desktop
- Google Talk
- Group Mail
- Mozilla Thunderbird
- MSN or Windows Live Messenger
- Netscape 6 and Netscape 7
- Outlook 2000, Outlook 2002, and Outlook Express
- Windows Mail and Windows Live Mail
- Yahoo! Messenger
It sends the stolen information back to its command and control (C&C) server where it is used by other components to send spam emails to spread the threat. We detect the Emotet spamming component as Spammer:Win32/Cetsiol.A.
The emergence of this new variant demonstrates the importance of keeping your Microsoft security software up to date, as well as enabling Microsoft Active Protection Service Community (MAPS). Customers using MAPS can take advantage of Microsoft’s cloud protection and, therefore, a faster detection and removal.
We are closely monitoring this and related threats using the telemetry we receive from our customers, which allows us to respond faster and remediate more effectively.
HeungSoo (David) Kang