EMOTET banking malware captures data sent over secured HTTPS connections

Share this article:
A clever phishing email is circulating Brazil and will more than likely hit the U.S.
EMOTET banking malware uses network sniffing to capture data sent over secured HTTPS connections.

Spam emails making the rounds in Germany are delivering banking malware identified as EMOTET, a financial threat that is beginning to make its way over to the U.S., according to researchers from Trend Micro.

Upon infection, EMOTET downloads a configuration file containing information on the banks it is targeting, and also downloads a file that intercepts and logs network traffic, according to a Friday post by Joie Salvio, threat response engineer with Trend Micro.

One of the most standout features of EMOTET is its network sniffing ability, which enables it to capture data sent over secured HTTPS connections, Tom Kellermann, chief cybersecurity officer with Trend Micro, told SCMagazine.com in a Monday email correspondence.

The banking malware can hook to “Network APIs to monitor network traffic,” including PR_OpenTcpSocket, PR_Write, PR_Close, PR_GetNameForIdentity, Closesocket, Connect, Send, and WsaSend, according to Salvio.

Network sniffing makes it easier to skirt detection and enables EMOTET to operate without the infected user ever knowing, according to Salvio, who added that other similar malware typically use form field insertion and phishing pages to pilfer data.

“Network sniffing is especially disconcerting in that an attacker, in essence, becomes omniscient to all information being exchanged on a network,” Kellermann said. “In short, it would be like someone having control of your closed-circuit television within a facility for a bird's-eye view of all activities.”

EMOTET also puts the component files it downloads into different registry entries, as well as places encrypted stolen data in a registry entry, according to Salvio, who explained that it likely does this to evade detection and counter file-based anti-virus detection.

The spam emails delivering EMOTET in Germany mostly involve banking transfers and shipping invoices, according to Salvio, who added that Trend Micro is still analyzing how the banking malware sends the sniffed data.

Share this article:

Sign up to our newsletters

More in News

Hackers target video game companies to lift copy protections and develop cheats

A threat group is targeting video game companies in order to lift DRM protections, develop cheats and possibly to steal source code.

Android malware spreads via mail tracking SMS spam

The mobile malware is currently targeting German users, McAfee revealed.

About 2,800 victims of worldwide info-stealing campaign targeting various sectors

About 2,800 victims of worldwide info-stealing campaign targeting ...

Unknown attackers have claimed about 2,800 victims in an ongoing information-stealing campaign identified by Kaspersky Lab as "Crouching Yeti."