With online banking becoming routine for most users, it comes as no surprise that we are seeing more banking malware enter the threat landscape. In fact, 2013 saw almost a million new banking malware variants—double the volume of the previous year. The rise of banking malware continued into this year, with new malware and even new techniques.
Just weeks after we came across banking malware that abuses a Window security feature, we have also spotted yet another banking malware. What makes this malware, detected as EMOTET, highly notable is that it “sniffs” network activity to steal information.
The Spam Connection
EMOTET variants arrive via spammed messages. These messages often deal with bank transfers and shipping invoices. Users who receive these emails might be persuaded to click the provided links, considering that the emails refer to financial transactions.
Figure 1. Sample spammed message
Figure 2. Sample spammed message
The provided links ultimately lead to the downloading of EMOTET variants into the system.
Theft via Network Sniffing
Once in the system, the malware downloads its component files, including a configuration file that contains information about banks targeted by the malware. Variants analyzed by engineers show that certain banks from Germany were included in the list of monitored websites. Note, however, that the configuration file may vary. As such, information on the monitored banks may also differ depending on the configuration file.
Another downloaded file is a .DLL file that is also injected to all processes and is responsible for intercepting and logging outgoing network traffic. When injected to a browser, this malicious DLL compares the accessed site with the strings contained in the previously downloaded configuration file.
If strings match, the malware assembles the information by getting the URL accessed and the data sent. The malware saves the whole content of the website, meaning that any data can be stolen and saved.
EMOTET can even “sniff” out data sent over secured connections through its capability to hook to the following Network APIs to monitor network traffic:
Our researchers’ attempts to log in were captured by the malware, despite the site’s use of HTTPS.
This method of information theft is notable as other banking malware often rely on form field insertion or phishing pages to steal information. The use of network sniffing also makes it harder to users to detect any suspicious activity as no changes are visibly seen (such as an additional form field or a phishing page). Moreover, it can bypass even a supposedly secure connection like HTTPs which poses dangers to the user’s personal identifiable information and banking credentials. Users can go about with their online banking without every realizing that information is being stolen.
The Use of Registry Entries
Registry entries play a significant role in EMOTET’s routines. The downloaded component files are placed in separate entries. The stolen information is also placed in a registry entry after being encrypted.
The decision to storing files and data in registry entries could be seen as a method of evasion. Regular users often do not check registry entries for possibly malicious or suspicious activity, compared to checking for new or unusual files. It can also serve as a countermeasure against file-based AV detection for that same reason.
We’re currently investigating how this malware family sends the gathered data it ‘sniff’ from the network.
Latest feedback from the Smart Protection Network shows that EMOTET infections are largely centered in the EMEA region, with Germany as the top affected country. This isn’t exactly a surprise considering that the targeted banks are all German. However, other regions like APAC and North America have also seen EMOTET infections, implying that this infection is not exclusive to a specific region or country.
As EMOTET arrives via spammed messages, users are advised not to click links or download files that are unverified. For matters concerning finances, it’s best to call the financial or banking institution involved to confirm the message before proceeding.
Trend Micro blocks all related threats.
With additional insights from Rhena Inocencio and Marilyn Melliang.
Update as of July 3, 2014, 2:00 A.M. PDT:
The SHA1 hash of the file with this behavior we’ve seen is: