The Emotet malware is now being used to steal victims’ emails, sometimes as far back as six months. Emotet has always been known as a banking trojan malware that works by inserting code into the networking stack of an infected computer, allowing sensitive banking information to be stolen.
In the past Emotet was only stealing email addresses, but a new version that has been released allows for email harvesting. This is particularly worrying because it means this new feature can be deployed to any computer already infected with the malware, and lead to data theft and corporate espionage.
Security researchers at Kryptos Logic, an IT company specializing in computer security, have observed this email harvesting and noted how advanced it has become. They have said the malware will trawl every email and every subfolder looking for any message sent or received in the last 180 days.
Another notable quirk of the malware is that it only sents 16KB of the email body to its command and control server (C&C server). Researchers are still unsure why so much email is being stolen, but there is a suggestion that certain victims would be more valuable and more likely to be targeted than others.
Emotet is distributed using spam campaigns, for example, malicious documents or URLs disguised as invoices or PDF attachments. This new feature is not included in the initial infection, but will execute the download of the email stealing code from the control server after a victim’s computer is already infected.
The email harvesting operation lasts for around 300 seconds, then is terminated. It then checks it has at least 116 bytes before sending it to the command and control server.
In July the US-CERT warned companies about Emotet’s destructive capabilities, calling it the
most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.