Security experts at Microsoft detected a new variant in the Win32/Emotet family which is targeting German users with a new spam email campaign.

Researchers from Microsoft have uncovered a new criminal campaign is targeting German users with a new variant of a sophisticated banking malware, Trojan:Win32/Emotet.C. The attackers are running Spam email campaign in Germany to serve a financial malware, dubbed Emotet, designed to steal online banking credentials. Emotet is not a new strain of malware, it was first detected last June by Trend Micro. The Emotet variant detected by Microsoft mainly targeted German-language speakers and banking website.

The malware has a very effective network sniffing ability, according to the researchers it is able to sniff data sent over secured HTTPS connections by hooking into eight network APIs.

Microsoft started its investigation on Emotet on since November 2014 when the spam email campaign reached its peak.

Emotet has been distributed through spam messages that were written in German and that contain a link to a server hosting the malicious code or the malware itself that is displayed as an harmessPDF document. HeungSoo Kang of Microsoft’s Malware Protection Center explained in a blog post that the spam email campaign relies on compromised email accounts to spread the malicious links.

“The spam emails are difficult for email servers to filter because the spamming component uses compromised email accounts to send malicious links. Emotet‘s spam module (detected as Spammer:Win32/Cetsiol.A) logs into email services using the stolen account name and passwords to send the spam. This means traditional anti-spam techniques, such as callback verification, won’t be applicable because the email is sent from a vetted or legitimate email address.” is written in the blog post.

Emotet binaries are delivered in .zip archive so the installed default file archive software will open the malicious file.