Emotet Trojan Changes Tactics…Again

The group behind the Emotet trojan developing a reputation for deploying the malware as a banking trojan. Not content to be a one trick pony those behind the malware are continually developing the trojan. In the latest iteration of Emotet a module has been included that is capable of stealing a victim's emails for the previous six months. In previous versions, Emotet could be only capable of stealing email addresses. The new updates open up the possibility of data theft and corporate espionage for the cybercriminals. To further complicate matters the new capability can be deployed on any system that is already infected by the malware.

Kryptos Logic’s Discovery

Security researchers at Kryptos Logic observed Emotet's email harvesting module and noticed that it had become more advanced, with functions to also exfiltrate email subjects and bodies. In a blog post the researchers explained Emotet’s new module will crawl every email of every subfolder in the interpersonal message (IPM) root folder. This root folder contains emails stored in the Inbox, Outbox, Deleted Items, and Sent Items subfolders. In other words, all of the victim’s emails. The researchers further discovered that the module was only capable of stealing 16KB or put differently 16,384 characters, for the body of an email before sending it to the command and control (C&C) server.

This would mean that the attacker would rarely be capable of stealing a file attachment. However, what can be stolen would be the entire text message. Researchers pointed out that they were unsure as to the motives of the group for stealing email data in such a way. When looking at the profile of the victims, the researchers suggested that the emails would almost certainly contain valuable information. Researchers further concluded that the data could be used to improve effectiveness when attempting to infect other devices on the network. The email data-stealing module further increases the trojan’s ability to grab data they deem valuable from an infected machine.

emotet trojan new tactic

Emotet is more often than not distributed via a spam email campaign. Researchers noticed though that the new module is not included in the initial payload. The main malware component on the compromised computer downloads the email module from Emotet's command and control server then activates it locally. Emails are then scanned and their content is saved to a temporary file. The operation is given 300 seconds to complete, then it is terminated and the module reads the entire temporary file, making sure it is at least 116 bytes before sending it to the server. While the motives of the attackers can only be guessed at the latest iteration of Emotet poses a greater threat to businesses and enterprises where email communication may include sufficient information to allow preparation of targeted attacks.

Emotet’s Past Tactics

In May 2018 Malwarebytes published a two-part analysis of Emotet in its current state at the time. The analysis while comprehensive includes a wealth of technical information better dealt with by security researchers. What could be concluded readily is that Emotet, according to Malwarebytes, is that,

“Emotet is one of the most active threats seen in the wild, with campaigns serving this malware daily to potential victims across the globe. The level of code obfuscation and encryption used to hide the code is quite complex and well-executed. In fact, it is one of the most complex downloaders in circulation. That’s why we felt it was so important to help audiences understand Emotet in sufficient detail so that code variations or other changes in the future do not pose any major challenges to analysts trying to decode this malware. The more you know, the better and faster you are able to protect users from sophisticated malware attacks.”

In was not only Malwarebytes sounding the alarms. In July, the US-CERT warned organizations about Emotet's capabilities, describing it as one of the “most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.” Further US-CERT estimated that Emotet cost governments in excess of 1 million USD at the time. Researchers and authorities discovered fairly quickly that the developers of Emotet are quickly capable of adapting their malware to merging mitigation techniques by using industry-wide practices. An example of this can be seen when the developers started implementing DKIM on their hijacked domains in order to bypass mail filters after US-CERT issued their security notice regarding the malware.

Emotet’s Botnet is Rather Large

 Another factor adding to Emotet’s potential threat is the size of the botnet the developers have access to. The number of users that could be impacted by Emotet's new plugin is huge. Estimation from the company based on telemetry data from their proprietary notification service gives a baseline of a few hundred thousand infections. The exact number is unknown as only unique IP addresses are considered in the count, and multiple infected machines could use a single IP to connect to the internet.

The developers of Emotet, since the trojan was first discovered in 2014, have constantly developed Emotet into a multifaceted threat that can move laterally through networks without drawing attention. They are also known for dropping off the radar in attempts not to draw too much attention to their activities. This indicates the group plans all attack campaigns meticulously. Currently, researchers have not seen any new spam campaigns, but if the past is anything to go one this may indicate a ramping up of activity before they disappear once more.