New Emomet Variant Targets Banking, Email Credentials

Security researchers are tracking a new version of the Emomet malware that is targeting users’ banking credentials and also has the ability to steal email usernames and passwords, which are then used to send spam from compromised accounts.

The new variant of Emomet has mostly been seen targeting users in Germany, but researchers at Microsoft also have seen the malware pop up in several other countries, including Austria, Switzerland and Hungary. The attack begins with a spam run that sends out emails designed to look like messages from a bank, a familiar tactic in these campaigns. The messages include a link to a compromised site that will try to download a zip archive to the victim’s computer. That archive contains a malicious executable file that has a very long name and uses a fake PDF file icon to try and trick users into clicking on it.

“The spam emails are difficult for email servers to filter because the spamming component uses compromised email accounts to send malicious links. Emotet’s spam module logs into email services using the stolen account name and passwords to send the spam. This means traditional anti-spam techniques, such as callback verification, won’t be applicable because the email is sent from a vetted or legitimate email address,” HeungSoo Kang of Microsoft wrote in an analysis of the malware.

After it infects a new machine, Emomet sits in the background and waits for the user to try and connect to an online banking site. The malware then logs the credentials and sends them to a remote C2 server, and Emomet has the ability to steal credentials from a long list of German and European banks, as well as Wells Fargo.

“On infected machines, the Win32/Emotet family can also steal email account user names and passwords from installed email or messaging software,” Kang said.

The malware can steal email credentials from a variety of applications, including Gmail Notifier, Yahoo Messenger, Mozilla Thunderbird, Outlook and even Eudora. Those credentials then are sent to the C2 server and used for further spam runs by the attackers.

Suggested articles