Incident Response, Malware, TDR

EMOTET banking malware captures data sent over secured HTTPS connections

Spam emails making the rounds in Germany are delivering banking malware identified as EMOTET, a financial threat that is beginning to make its way over to the U.S., according to researchers from Trend Micro.

Upon infection, EMOTET downloads a configuration file containing information on the banks it is targeting, and also downloads a file that intercepts and logs network traffic, according to a Friday post by Joie Salvio, threat response engineer with Trend Micro.

One of the most standout features of EMOTET is its network sniffing ability, which enables it to capture data sent over secured HTTPS connections, Tom Kellermann, chief cybersecurity officer with Trend Micro, told SCMagazine.com in a Monday email correspondence.

The banking malware can hook to “Network APIs to monitor network traffic,” including PR_OpenTcpSocket, PR_Write, PR_Close, PR_GetNameForIdentity, Closesocket, Connect, Send, and WsaSend, according to Salvio.

Network sniffing makes it easier to skirt detection and enables EMOTET to operate without the infected user ever knowing, according to Salvio, who added that other similar malware typically use form field insertion and phishing pages to pilfer data.

“Network sniffing is especially disconcerting in that an attacker, in essence, becomes omniscient to all information being exchanged on a network,” Kellermann said. “In short, it would be like someone having control of your closed-circuit television within a facility for a bird's-eye view of all activities.”

EMOTET also puts the component files it downloads into different registry entries, as well as places encrypted stolen data in a registry entry, according to Salvio, who explained that it likely does this to evade detection and counter file-based anti-virus detection.

The spam emails delivering EMOTET in Germany mostly involve banking transfers and shipping invoices, according to Salvio, who added that Trend Micro is still analyzing how the banking malware sends the sniffed data.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.