High-risk malware program has updated capabilities

Emotet, a self-propagating banking trojan, has reappeared in the threat landscape with an updated arsenal that allows attackers to exfiltrate emails with ease.

The malware, which has evolved into a distributor of other trojans since its initial appearance in 2014, now captures a victim’s email history, on top of the malicious modules it already deploys in order to gain access to a device.

In a report by Kryptos Logic, the cybersecurity firm said Emotet’s new payload captures emails up to 180 days on any infected system, including ones that have been compromised before now.

“Emotet will likely, over the next few days, harvest countless emails across tens of thousands of actively infected systems,” Kryptos Logic said, in a warning that echoes a technical alert issued by the Department of Homeland Security (DHS) in July on how Emotet was causing governments to pay $1 million in recovery costs.

Once the email harvesting payload is delivered, all emails are scanned and saved into a file to be sent back to the attacker – a process similar to an Emotet module used to steal contact lists, Kryptos Logic said, which utilizes an Outlook Messaging API.

“This API is, essentially, an interface that allows an application to become email-ready,” Kryptos Logic said.

“The most common cases of MAPI (Messaging Application Programming Interface) usage are Simple MAPI, included in Windows as part of the default Windows Live email client, or the full MAPI as used by Outlook and Exchange.

“In other words, this API gives an application access to email, if Windows is adequately configured.”

As The Daily Swig previously reported, if your organization has been infected by Emotet, it is advised to take the infected machines off the network immediately and do not attempt any logins.


RELATED Emotet evolves to deliver new malware strains globally