Trend Micro finds new banking malware, named EMOTET. Its steals sensitive data using network sniffers. The malware intercepts and logs outgoing traffic to check for sensitive data from the infected machine.
Most effected users are from Europe, Middle East and Africa region but there are victims from Asia-Pacific region and North America region as well.
The malware uses network sniffing technique to collect data from the infected machine and this makes the detection of the malware more difficult. Cybercriminals are spreading the malware through spam emails apparently related to money transfers or shipping invoices. In both cases, users are enticed to click on a link, which will download the malware to the infected machine.
Once downloaded, the malware then downloads its component files which includes a configuration file that contains information of some banks from Germany. There is one .dll file too which is also downloaded and injected to all the processes. This .dll file is responsible for intercepting and logging all the information from outgoing network traffic. It also infects the web browser and then compares the accessed websites with the websites listed on the previously downloaded configuration file.
Once, any website accessed matches with that on the configuration file, the malware records all the data that has been sent to the website by the user. It can even sniff the data sent over the secured connections through its capability to hook to the following Network APIs to monitor network traffic – PR_OpenTcpSocket, PR_Write, PR_Close, PR_GetNameForIndentity, Closesocket, Connect, Send and WsaSend.
Registry entries plays an important role in EMOTET’s routine. The decision to storing files and data in registry entries could be seen as a method of evasion. Regular users often do not check registry entries for possibly malicious or suspicious activity, compared to checking for new or unusual files. It can also serve as a countermeasure against file-based AV detection for that same reason.