Cofense Intelligenceobserved multiple campaigns distributing the modular and extremely dangerous Emotet banking Trojan with the added capability of using stolen email templates to impersonate "major US financial institutions."
The new Emotet strain comes with the added ability of "enabling the theft of up to 16KB of raw emails and threads" either for allowing the Trojan to steal phishing templates, to boost the bad actors' social engineering toolset or for selling the results to any interested party,
Moreover, according to Cofense, the new scraping module is most likely behind the new and highly improved phishing templates used in the latest campaigns tospoof financial institutions.
As reported by Cofense Intelligence, the new Emotet malware campaigns "are effectively spoofing major US financial institutions in part by including legitimate URLs wrapped in Proofpoint’s (PFPT) TAP URL Defense wrapping service. This adds an air of legitimacy to the casual observer, designed to increase the chances of malware infection."
The malicious campaign was observed by Cofense on November 13 while distributing email messages containing malicious Word documents all across the world, targeting random entities and individuals.IcedID banking Trojan dropped as secondary malware payload
Once the emails landed on a target's computer and the Word documents were opened, the hidden malicious macros contained within would download an Emotet sample and automatically execute it to infiltrate the machine.
Although quite a versatile banking Trojan on its own, following a successful infection Emotet downloads an additional malware payload, in this case, the IcedID banking Trojan.
IcedID is known to have the ability to compromise a broader range of entities when compared to Emotet, ranging from financial and investment institutions tobank holding companies.
The recently unearthed Emotet campaign proves that the malware's email scraping module definitely pays off for the bad actors given that "ProofPoint URLs wrapped with URL Defense adds an additional false sense of security to a user."
At the end of October, Emotet alsogot upgraded with an email exfiltration module which allows it to harvest email messages from all infected systems, as found out byKryptos Logi'ssecurity researchers .
According to a report by US-CERT, "Emotet continues to be among the most costly and destructive malware affecting SLTT governments. Its worm-like features result in rapidly spreading network-wide infection, which are difficult to combat. Emotet infections have cost SLTT governments up to $1 million per incident to remediate."