EMOTET the banking malware which uses network sniffing

Pierluigi Paganini June 28, 2014

Security Experts at Trend Micro have detected a new banking malware, dubbed EMOTET, which uses also network sniffing capabilities to target bank customers.

The number of malware families designed to hit the banking industry is in constant growth, in this first part of the year the number of malicious code used by cyber criminals for banking frauds is doubled.
The malware authors are implementing techniques even more sophisticated to deceive customers of financial institutions, until now security experts have detected malicious codes, working on both mobile and desktop devices, that include a data stealer component to capture victim’s credentials, but this time the threat is more complex. It is known that the cybercrime ecosystem is very prolific, security researchers from the security firm Trend Micro have discovered a banking malware, dubbed EMOTET, which also implements a “sniff” network feature activity to steal sensitive information of other users on the same network segment.

“In fact, 2013 saw almost a million new banking malware variants—double the volume of the previous year. The rise of banking malware continued into this year, with new malware and even new techniques.” states Joie Salvio, Threat Response Engineer at Trend Micro.

EMOTET 1The banking malware EMOTET was spread with a classic email spam campaign, attackers try to deceive the banking customers letting them into believing that the malware is a legitimate shipping invoice sent by the bank.

“Users who receive these emails might be persuaded to click the provided links, considering that the emails refer to financial transactions.” states Trend Micro.

The spammed email includes a link that must be clicked by the targeted users to allow malware get installed. Once installed the malware download further components, including DLL and configuration files that contain information about the targeted banks.

EMOTET is largely infecting the EMEA region, the Middle East and Africa, Germany in the country most targeted by the malicious code.
The EMOTET malware also download a .DLL file that is injected to all processes and is responsible for sniffing activities, it intercepts and logging outgoing network traffic.
“When injected to a browser, this malicious DLL compares the accessed site with the strings contained in the previously downloaded configuration file. If strings match, the malware assembles the information by getting the URL accessed and the data sent. The malware saves the whole content of the website, meaning that any data can be stolen and saved.
EMOTET can even “sniff” out data sent over secured connections through its capability to hook to the following Network APIs to monitor network traffic:”

  • PR_OpenTcpSocket
  • PR_Write
  • PR_Close
  • PR_GetNameForIndentity
  • Closesocket
  • Connect
  • Send
  • WsaSend
EMOTET has the capability to bypass HTTPs connection to allow attackers to store victims’ personal information and banking credentials even are transmitted over a secure connection.
EMOTET capture
EMOTET stores stolen data in the separate entries in encrypted format, in this way it could evade security checks, as explained by Salvio the technique can also serve as “a countermeasure against file-based AV detection for that same reason.”
The implementation of network sniffing functionality makes EMOTET malware very dangerous, the features described was specifically designed to avoid detection.
“As EMOTET arrives via spammed messages, users are advised not to click links or download files that are unverified. For matters concerning finances, it’s best to call the financial or banking institution involved to confirm the message before proceeding.” suggests Trend Micro.

Pierluigi Paganini

(Security Affairs –  EMOTET, banking malware)

you might also like

leave a comment