Emotet trojan starts stealing full emails from infected machines

Posted by   Martijn Grooten on   Oct 31, 2018

Researchers at Kryptos Logic have discovered that the Emotet banking trojan is exfiltrating entire email bodies as opposed to merely email addresses.

Emotet was first discovered in 2014 as a banking trojan but has since evolved to become mostly a distributor of other malware. A typical Emotet infection starts with an email attachment, which downloads Emotet, which then downloads the final payload.

However, Emotet itself also has the capacity to steal data from the infected devices, among them email addresses in the contact list. In this, the malware is hardly unique: such harvested lists are then re-used or sold on for the purpose of sending spam that appears to come from a known address, and thus may seem more credible.

Now, however, the malware has added a module that steals the email body, subject and various metadata of all emails sent or received in the past 180 days, by using the Outlook Messaging API (MAPI). The data is then base64-encoded, stored in a temporary file and eventually uploaded to the malware's command-and-control server.

workflow.pngWorkflow showing how Emotet actors harvest emails (source: Kryptos Logic).

Using previously sent/received emails as a template for spam emails could result in spam messages that appear more credible, where the same email is resent with a link or attachment replaced. Though this won't change the fact that bypassing spam filters at scale is hard and the gains in delivery rates would likely be minimal, if emails do get delivered, it would make them appear very legitimate. I certainly wouldn't always notice that an email had been sent before.

More worryingly, the stolen emails could also be used in more targeted attacks, to perform some very credible social engineering. Though Emotet itself isn't a particular targeted threat, it has been known to download more targeted malware in the final stage, as a North Carolina water and sewage authority learned the hard way recently. It is not hard to imagine how the stolen data could be mined for more interesting and valuable targets.

And those targets will probably be easy to find: Emotet regularly infects US- and UK-based government organisations and enterprises.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2018 paper: Lazarus Group: a mahjong game played with different sets of tiles

The Lazarus Group, generally linked to the North Korean government, is one of the most notorious threat groups seen in recent years. At VB2018 ESET researchers Peter Kálnai and Michal Poslušný presented a paper looking at the group's various…

Book your VB2019 ticket now for a chance to win a ticket for BSides London

Virus Bulletin is proud to sponsor this year's BSides London conference, which will take place next week, and we have a number of tickets to give away.

First 11 partners of VB2019 announced

We are excited to announce the first 11 companies to partner with VB2019, whose support will help ensure a great event.

VB2018 paper: Fake News, Inc.

A former reporter by profession, Andrew Brandt's curiosity was piqued when he came across what appeared at first glance to be the website of a small-town newspaper based in Illinois, but under scrutiny, things didn’t add up. At VB2018 he presented a…

Paper: Alternative communication channel over NTP

In a new paper published today, independent researcher Nikolaos Tsapakis writes about the possibilities of malware using NTP as a covert communication channel and how to stop this.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.