Emotet trojan starts stealing full emails from infected machines

Posted by   Martijn Grooten on   Oct 31, 2018

Researchers at Kryptos Logic have discovered that the Emotet banking trojan is exfiltrating entire email bodies as opposed to merely email addresses.

Emotet was first discovered in 2014 as a banking trojan but has since evolved to become mostly a distributor of other malware. A typical Emotet infection starts with an email attachment, which downloads Emotet, which then downloads the final payload.

However, Emotet itself also has the capacity to steal data from the infected devices, among them email addresses in the contact list. In this, the malware is hardly unique: such harvested lists are then re-used or sold on for the purpose of sending spam that appears to come from a known address, and thus may seem more credible.

Now, however, the malware has added a module that steals the email body, subject and various metadata of all emails sent or received in the past 180 days, by using the Outlook Messaging API (MAPI). The data is then base64-encoded, stored in a temporary file and eventually uploaded to the malware's command-and-control server.

workflow.pngWorkflow showing how Emotet actors harvest emails (source: Kryptos Logic).

Using previously sent/received emails as a template for spam emails could result in spam messages that appear more credible, where the same email is resent with a link or attachment replaced. Though this won't change the fact that bypassing spam filters at scale is hard and the gains in delivery rates would likely be minimal, if emails do get delivered, it would make them appear very legitimate. I certainly wouldn't always notice that an email had been sent before.

More worryingly, the stolen emails could also be used in more targeted attacks, to perform some very credible social engineering. Though Emotet itself isn't a particular targeted threat, it has been known to download more targeted malware in the final stage, as a North Carolina water and sewage authority learned the hard way recently. It is not hard to imagine how the stolen data could be mined for more interesting and valuable targets.

And those targets will probably be easy to find: Emotet regularly infects US- and UK-based government organisations and enterprises.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2019 conference programme announced

VB is excited to reveal the details of an interesting and diverse programme for VB2019, the 29th Virus Bulletin International Conference, which takes place 2-4 October in London, UK.

VB2018 paper: Under the hood - the automotive challenge

Car hacking has become a hot subject in recent years, and at VB2018 in Montreal, Argus Cyber Security's Inbar Raz presented a paper that provides an introduction to the subject, looking at the complex problem, examples of car hacks, and the…

VB2018 paper and video: Android app deobfuscation using static-dynamic cooperation

Static analysis and dynamic analysis each have their shortcomings as methods for analysing potentially malicious files. Today, we publish a VB2018 paper by Check Point researchers Yoni Moses and Yaniv Mordekhay, in which they describe a method that…

VB2019 call for papers closes this weekend

The call for papers for VB2019 closes on 17 March, and while we've already received many great submissions, we still want more!

Registration open for VB2019 ─ book your ticket now!

Registration for VB2019, the 29th Virus Bulletin International Conference, is now open, with an early bird rate available until 1 July.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.