German Speakers Targeted By Variant Of Emotet Banking Malware

Media Division | January 8, 2015

According to a new report by Microsoft, German speakers were targeted by a new variant of a powerful banking malware that enables cyber criminals to steal online banking credentials.

The malware named ‘Emotet’ was detected by security vendors in late June last year. It has the capability to steal credentials over encrypted HTTPS connections by breaching network APIs.

HeungSoo (David) Kang of the Microsoft Malware Protection Center informed in a post that the malware will sniff online credentials whenever an individual logs into a specific website, and the list of banking websites – including names like Wells Fargo – can be changed at any instance. Kang added that Emotet can also take out credentials from installed messaging software and email such as Yahoo Messenger.

In the past month, almost 50 percent of Emotet infections have been in Germany, but the malware has also affected users in Switzerland, Hungary, Austria, Slovenia, the Netherlands, Denmark, Czech Republic and Slovak Republic.

The malware is distributed through spam messages, which may contain an icon of a PDF document that is the malware itself or a link to a website infected with the malware (opening the link downloads a ZIP file with a long name and the .EXE extension hidden). These messages try to gain attention of potential victims by claiming to be an invoice from an official organization, a phone bill, or a PayPal message.

Spam messages that lure victims into downloading Emotet malware can be difficult to filter because the messages come from real email addresses. Kang said a technique to stop these messages is to check if accounts really exist.

The malware comes with a list of services and banks it has been designed to steal credentials from. It will also take out credentials from email programs in addition to instant messaging programs, including Mozilla’s Thunderbird and Microsoft’s Outlook.

Any credentials stolen by the malware will be sent to Emotet’s C&C (command and control) server where it will be used by other components to send email spam to cast a wide net for the threat.

Protecting yourself from Emotet malware

To protect your organization against such attacks, you should put malware mitigation at the top of your mind. The following measures can greatly reduce the risk of malware infection.

Educational programs: Implement role-based educational programs that detail about signs of spam messages. The program can highlight best practices to recognize malware and spear phishing attempts, such as verifying an email address that looks suspicious before opening any links or attachments.

Anti-phishing systems: Those sneaky Emotet emails claiming that you’ve received an invoice is a gateway for hackers. The communication is mostly crafted in a professional tone, which makes the email look so real that you’re tempted to click. Massive’s anti-phishing solutions can prevent you from being the victim by exposing and shutting down the source.

Threat intelligence feeds: Malicious hosts & IP Feed can provide you the domain, URL information and IP address along with the associated malware hash in case you get infected. All of this information can be interpreted in XML format. The feed can detect compromised accounts, helping your IT department to take appropriate action.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.