Banking threat Emotet expands target list, evades two-factor auth

The malware, which is still spread through phishing emails, is now in its third iteration, Kaspersky Lab researchers revealed.
The malware, which is still spread through phishing emails, is now in its third iteration, Kaspersky Lab researchers revealed.

Kaspersky researchers have analyzed the latest updates to banking malware, called Emotet – which has primarily been used to target online banking customers throughout Europe through social engineering.

In a Thursday blog post, Kaspersky researcher Alexey Shulmin published a detailed analysis of the malware's evolution, since its appearance last summer. In June 2014, Trend Micro discovered the threat and noted that it was spread via spam emails making the rounds in Germany. But, since then, Emotet has reportedly expanded to targeting clients of Swiss banks, as well as customers in Austria and other countries throughout Europe.

To date, the banking malware has several modules used to target victims – a loader module, as well as ones allowing distributed denial-of-service (DDoS) attacks, spamming and modifying HTTPS traffic, Shulmin wrote. In addition, Emotet employs an Outlook “grabber” function (for stealing victims' Microsoft Outlook address books and transferring the information to the criminals' server) and also uses a legitimate program, called Mail PassView, to target email account data.

Mail PassView is used for recovering forgotten passwords and mail accounts, Shulmin wrote.

Particularly interesting capabilities of the new variant include its detection of virtual machines – an indication that researchers may be analyzing the malware.

“The trojan tries to contact [a list of command center] addresses if it detects that it is being run in a virtual machine,” Shulmin explained. “But none of the addresses correspond to the bot's command centers, and the bot is therefore unsuccessful in trying to establish contact with them. This is probably done to confuse any investigators and give them the impression that the trojan command centers are dead.  A similar approach was used previously in the high-profile banking trojan Citadel.”

Emotet authors have also modified the malware so that can evade two-factor authentication measures put in place by banks. The trojan now uses web injects to display spurious alerts to victims' during online banking sessions. The message asks the user to enter a Chip TAN or SMS TAN to carry out a “test transfer.” Instead, the “malicious script carries out a real transfer of money from the victim's account to the account of a nominated person – the so-called ‘drop,' and the user themselves confirms this transfer using the Chip TAN or SMS TAN,” Shulmin explained.

Despite the malware's latest tricks, however, Shulmin noted that the malware “cannot function effectively without the participation of the users” given the attackers' reliance on social engineering to complete their scams.

The researcher added that AV (capable of detecting the latest variants of the threat) should help to prevent resulting fraud in these malware attacks.

“And so the alertness and technical awareness of the user, together with the use of a modern anti-virus program can provide reliable protection against, not only Emotet, but other new banking threats working in a similar way,” Shulmin said.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS