Malware Emotet first found in June last year by Trend Micro has resurfaced, according to security researchers of Microsoft. Spammers are sending the malware with spam emails, to steal financial and banking credentials of users. The spam primarily seems to be designed to target the Germans, as the spammers have used German language. But they also seem to be interested in other European countries as they have also used different local European languages to lure users to the trap. Reports state that users in Austria, Switzerland, Hungary, Poland, the Netherlands, Slovenia, Czech Republic, Denmark and Slovak Republic have also been affected.
The new variant of malware is spread using spam messages which will either have a link redirecting users to a website from where one will be infected with the malware directly or as a pdf or zip attachment. It has the ability to scan even HTTPS or secure connections for harnessing credentials. The spam message has a very convincing format including the users’ phone bill or an invoice from the relevant bank or a free shopping voucher or a Paypal message.
Once user tries to open the attachment his/her system gets infected by the Emotet malware. Then, the malware downloads a configuration file of a smart application which is designed to steal banking and financial credentials of different banking and payment systems. It also keeps a track of your network traffic, for analysis and is capable of stealing credentials of email clients like Outlook and Thunderbird along with instant messengers like Yahoo and Windows live messenger.
All of this info from the infected host is stolen and sent to the command and control center which is further used to identify other potential targets and infecting them. This malware is also capable of logging in to email client and sends out spam to others, using infected users email account. Thus, regular anti-spam techniques which check if sender email account exists or not would fail in this case.
For more details, please refer to: http://blogs.technet.com/b/mmpc/archive/2015/01/06/emotet-spam-campaign-targets-banking-credentials.aspx
Cyberoam Recommends:
- Keep your In-bound anti-spam enabled, along with Anti-Virus scanning of attachments.
- Also, enable outbound anti-spam scanning on Cyberoam, to prevent your domain/public IP from getting blacklisted by ISP’s and anti-spam majors in case any internal host gets infected.
- Keep IPS enabled for outbound traffic, to block malwares communication with its Command and Control center.
- Educate end users to avoid opening attachments in suspicious emails, especially if it is a compressed file.
Be updated, be safe!
For similar security stories and threat updates, subscribe to Cyberoam Blogs!