EMOTET the banking malware which uses network sniffing

The number of malware families designed to hit the banking industry is in constant growth, in this first part of the year the number of malicious code used by cyber criminals for banking frauds is doubled.

The malware authors are implementing techniques even more sophisticated to deceive customers of financial institutions, until now security experts have detected malicious codes, working on both mobile and desktop devices, that include a data stealer component to capture victim’s credentials, but this time the threat is more complex. It is known that the cybercrime ecosystem is very prolific, security researchers from the security firm Trend Micro have discovered a banking malware, dubbed EMOTET, which also implements a “sniff” network feature activity to steal sensitive information of other users on the same network segment.

“In fact, 2013 saw almost a million new banking malware variants—double the volume of the previous year. The rise of banking malware continued into this year, with new malware and even new techniques.” states Joie Salvio, Threat Response Engineer at Trend Micro.

The banking malware EMOTET was spread with a classic email spam campaign, attackers try to deceive the banking customers letting them into believing that the malware is a legitimate shipping invoice sent by the bank.

“Users who receive these emails might be persuaded to click the provided links, considering that the emails refer to financial transactions.” states Trend Micro.

The spammed email includes a link that must be clicked by the targeted users to allow malware get installed. Once installed the malware download further components, including DLL and configuration files that contain information about the targeted banks.

EMOTET is largely infecting the EMEA region, the Middle East and Africa, Germany in the country most targeted by the malicious code.

“When injected to a browser, this malicious DLL compares the accessed site with the strings contained in the previously downloaded configuration file. If strings match, the malware assembles the information by getting the URL accessed and the data sent. The malware saves the whole content of the website, meaning that any data can be stolen and saved.

EMOTET can even “sniff” out data sent over secured connections through its capability to hook to the following Network APIs to monitor network traffic:”

• PR_OpenTcpSocket
• PR_Write
• PR_Close
• PR_GetNameForIndentity
• Closesocket
• Connect
• Send
• WsaSend

EMOTET stores stolen data in the separate entries in encrypted format, in this way it could evade security checks, as explained by Salvio the technique can also serve as “a countermeasure against file-based AV detection for that same reason.”

The implementation of network sniffing functionality makes EMOTET malware very dangerous, the features described was specifically designed to avoid detection.

Pierluigi Paganini

(Security Affairs –  EMOTET, banking malware)