Emotet trojan starts stealing full emails from infected machines

Posted by   Martijn Grooten on   Oct 31, 2018

Researchers at Kryptos Logic have discovered that the Emotet banking trojan is exfiltrating entire email bodies as opposed to merely email addresses.

Emotet was first discovered in 2014 as a banking trojan but has since evolved to become mostly a distributor of other malware. A typical Emotet infection starts with an email attachment, which downloads Emotet, which then downloads the final payload.

However, Emotet itself also has the capacity to steal data from the infected devices, among them email addresses in the contact list. In this, the malware is hardly unique: such harvested lists are then re-used or sold on for the purpose of sending spam that appears to come from a known address, and thus may seem more credible.

Now, however, the malware has added a module that steals the email body, subject and various metadata of all emails sent or received in the past 180 days, by using the Outlook Messaging API (MAPI). The data is then base64-encoded, stored in a temporary file and eventually uploaded to the malware's command-and-control server.

workflow.pngWorkflow showing how Emotet actors harvest emails (source: Kryptos Logic).

Using previously sent/received emails as a template for spam emails could result in spam messages that appear more credible, where the same email is resent with a link or attachment replaced. Though this won't change the fact that bypassing spam filters at scale is hard and the gains in delivery rates would likely be minimal, if emails do get delivered, it would make them appear very legitimate. I certainly wouldn't always notice that an email had been sent before.

More worryingly, the stolen emails could also be used in more targeted attacks, to perform some very credible social engineering. Though Emotet itself isn't a particular targeted threat, it has been known to download more targeted malware in the final stage, as a North Carolina water and sewage authority learned the hard way recently. It is not hard to imagine how the stolen data could be mined for more interesting and valuable targets.

And those targets will probably be easy to find: Emotet regularly infects US- and UK-based government organisations and enterprises.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

New paper: LokiBot: dissecting the C&C panel deployments

First advertised as an information stealer and keylogger when it appeared in underground forums in 2015, LokiBot has added various capabilities over the years and has affected many users worldwide. In a new paper researcher Aditya Sood analyses the…

VB2019 presentation: Building secure sharing systems that treat humans as features not bugs

In a presentation at VB2019 in London, Virtru's Andrea Limbago described how, by exploring data sharing challenges through a socio-technical lens, it is possible to make significant gains toward the secure sharing systems and processes that are vital…

VB2019 presentation: Attor: spy platform with curious GSM fingerprinting

Attor is a newly discovered cyber-espionage platform, use of which dates back to at least 2014 and which focuses on diplomatic missions and governmental institutions. Details of Attor were presented at VB2019 in London by ESET researcher Zuzana…

Why we encourage newcomers and seasoned presenters alike to submit a paper for VB2020

With the call for papers for VB2020 currently open, we explain why, whether you've never presented before or you're a conference circuit veteran, if you have some interesting research to share with the community we want to hear from you!

VB2019 paper: The cake is a lie! Uncovering the secret world of malware-like cheats in video games

At VB2019 in London, Kaspersky researcher Santiago Pontiroli presented a paper on the growing illegal economy around video game cheats and its parallels with the malware industry. Today we publish both Santiago's paper and the recording of his…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.