EMOTET banking malware captures data sent over secured HTTPS connections

Share this article:
A clever phishing email is circulating Brazil and will more than likely hit the U.S.
EMOTET banking malware uses network sniffing to capture data sent over secured HTTPS connections.

Spam emails making the rounds in Germany are delivering banking malware identified as EMOTET, a financial threat that is beginning to make its way over to the U.S., according to researchers from Trend Micro.

Upon infection, EMOTET downloads a configuration file containing information on the banks it is targeting, and also downloads a file that intercepts and logs network traffic, according to a Friday post by Joie Salvio, threat response engineer with Trend Micro.

One of the most standout features of EMOTET is its network sniffing ability, which enables it to capture data sent over secured HTTPS connections, Tom Kellermann, chief cybersecurity officer with Trend Micro, told SCMagazine.com in a Monday email correspondence.

The banking malware can hook to “Network APIs to monitor network traffic,” including PR_OpenTcpSocket, PR_Write, PR_Close, PR_GetNameForIdentity, Closesocket, Connect, Send, and WsaSend, according to Salvio.

Network sniffing makes it easier to skirt detection and enables EMOTET to operate without the infected user ever knowing, according to Salvio, who added that other similar malware typically use form field insertion and phishing pages to pilfer data.

“Network sniffing is especially disconcerting in that an attacker, in essence, becomes omniscient to all information being exchanged on a network,” Kellermann said. “In short, it would be like someone having control of your closed-circuit television within a facility for a bird's-eye view of all activities.”

EMOTET also puts the component files it downloads into different registry entries, as well as places encrypted stolen data in a registry entry, according to Salvio, who explained that it likely does this to evade detection and counter file-based anti-virus detection.

The spam emails delivering EMOTET in Germany mostly involve banking transfers and shipping invoices, according to Salvio, who added that Trend Micro is still analyzing how the banking malware sends the sniffed data.

Share this article:

Sign up to our newsletters

More in News

Report: UK police push for required mobile phone PWs

The Metropolitan Police have reportedly lobbied for two years to enact the standard.

JPMorgan Chase customers targeted in massive phishing campaign

JPMorgan Chase customers targeted in massive phishing campaign

Roughly 500,000 emails have been sent out so far as part of a massive multifaceted phishing campaign targeting customers of JPMorgan Chase.

Study: Organizations lack training, budget to thwart insider threats

Study: Organizations lack training, budget to thwart insider ...

Of the 355 IT and security professionals surveyed, a majority indicated that they were ill-equipped to thwart a possible insider threat.