EMOTET banking malware captures data sent over secured HTTPS connections

Share this article:
A clever phishing email is circulating Brazil and will more than likely hit the U.S.
EMOTET banking malware uses network sniffing to capture data sent over secured HTTPS connections.

Spam emails making the rounds in Germany are delivering banking malware identified as EMOTET, a financial threat that is beginning to make its way over to the U.S., according to researchers from Trend Micro.

Upon infection, EMOTET downloads a configuration file containing information on the banks it is targeting, and also downloads a file that intercepts and logs network traffic, according to a Friday post by Joie Salvio, threat response engineer with Trend Micro.

One of the most standout features of EMOTET is its network sniffing ability, which enables it to capture data sent over secured HTTPS connections, Tom Kellermann, chief cybersecurity officer with Trend Micro, told SCMagazine.com in a Monday email correspondence.

The banking malware can hook to “Network APIs to monitor network traffic,” including PR_OpenTcpSocket, PR_Write, PR_Close, PR_GetNameForIdentity, Closesocket, Connect, Send, and WsaSend, according to Salvio.

Network sniffing makes it easier to skirt detection and enables EMOTET to operate without the infected user ever knowing, according to Salvio, who added that other similar malware typically use form field insertion and phishing pages to pilfer data.

“Network sniffing is especially disconcerting in that an attacker, in essence, becomes omniscient to all information being exchanged on a network,” Kellermann said. “In short, it would be like someone having control of your closed-circuit television within a facility for a bird's-eye view of all activities.”

EMOTET also puts the component files it downloads into different registry entries, as well as places encrypted stolen data in a registry entry, according to Salvio, who explained that it likely does this to evade detection and counter file-based anti-virus detection.

The spam emails delivering EMOTET in Germany mostly involve banking transfers and shipping invoices, according to Salvio, who added that Trend Micro is still analyzing how the banking malware sends the sniffed data.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

VBA malware on rise, templates make it easier to write code

VBA malware on rise, templates make it easier ...

Researchers at SophosLabs found an uptick in VBA samples in July.

Analysts spot 'Critolock,' ransomware claims to be CryptoLocker

Trend Micro noted several differences between Critolock and CryptoLocker, however.

Citadel used in APT attacks against petrochemical firms

Citadel used in APT attacks against petrochemical firms

In an interesting twist, financial malware Citadel was used to infect firms outside of the finance sector via APT attacks, Trusteer found.