The malware will steal online banking credentials and can also extract credentials from installed email and messaging software.
The malware will steal online banking credentials and can also extract credentials from installed email and messaging software.

In the middle of last year, spam emails being distributed in Germany were leading to Emotet banking malware infections – now, German-language speakers are again the primary target of a new spam campaign that involves a variant of the financial threat.

In a Tuesday post, HeungSoo (David) Kang, with the Microsoft Malware Protection Center, wrote that the malware will steal online banking credentials whenever a user logs into a specified site, and that the list of bank websites – which includes Wells Fargo – can be changed at any time. He added that Emotet can also extract credentials from installed email and messaging software such as Google Talk and Yahoo! Messenger.

In the past 30 days, nearly half of Emotet infections have been in Germany; however, users in Austria, Switzerland, Hungary, Poland, the Netherlands, Slovenia, Czech Republic, Denmark and Slovak Republic have also been affected.

In a Wednesday email correspondence, Adam Kujawa, head of malware intelligence at Malwarebytes, told SCMagazine.com that it is possible for the attackers to change their strategy and being targeting users and banks in the U.S.

“It would be a matter of modifying the malware to look out for U.S. email and bank keywords and maybe even modify the practices of stealing the information since many banks in the U.S. don't follow the same security practices in other countries,” Kujawa said.

He explained, “This might mean that it's easier to steal the information or it means that it's more difficult – things like security images and access codes add an additional layer of security to the user's account and the attackers would need to compensate for that.”

So far the observed spam email messages leading to the malware are written in German, Kang wrote. One sample provided in the post purports to come from the Volksbank team and asks recipients to click a link to get more details on a deposit or statement.

Clicking the link can result in the download of a ZIP file, which contains an executable with a very long name so the .EXE extension is hidden, Kang wrote, adding the executable uses a PDF file icon to make it seem more legitimate.

Emotet also contains a spamming module – detected as Cetsiol.A – that logs into legitimate email accounts using stolen credentials and spreads the threat, Kang wrote, explaining this makes the spam emails hard to detect by filters.

“According to the analysis, the spam module actually logs into the stolen accounts of users,” Kujawa said. “This would be most effective if the module used the same system/browser combination as the victim usually uses. That way, things like cookie detection wouldn't flag to the email client that someone might be trying to break in, but rather make it look like the user is just logging into their own account.”

Microsoft was unable to provide additional information to SCMagazine.com on Wednesday.