New Emotet spam campaign targets German users

Pierluigi Paganini January 08, 2015

Security experts at Microsoft detected a new variant in the Win32/Emotet family which is targeting German users with a new spam email campaign.

Researchers from Microsoft have uncovered a new criminal campaign is targeting German users with a new variant of a sophisticated banking malware, Trojan:Win32/Emotet.C. The attackers are running Spam email campaign in Germany to serve a financial malware, dubbed Emotet, designed to steal online banking credentials. Emotet is not a new strain of malware, it was first detected last June by Trend Micro. The Emotet variant detected by Microsoft mainly targeted German-language speakers and banking website.

The malware has a very effective network sniffing ability, according to the researchers it is able to sniff data sent over secured HTTPS connections by hooking into eight network APIs.

Microsoft started its investigation on Emotet on since November 2014 when the spam email campaign reached its peak.

emotet Microsoft telemetry

Emotet has been distributed through spam messages that were written in German and that contain a link to a server hosting the malicious code or the malware itself that is displayed as an harmessPDF document. HeungSoo Kang of Microsoft’s Malware Protection Center explained in a blog post that the spam email campaign relies on compromised email accounts to spread the malicious links.

“The spam emails are difficult for email servers to filter because the spamming component uses compromised email accounts to send malicious links. Emotet‘s spam module (detected as Spammer:Win32/Cetsiol.A) logs into email services using the stolen account name and passwords to send the spam. This means traditional anti-spam techniques, such as callback verification, won’t be applicable because the email is sent from a vetted or legitimate email address.” is written in the blog post.

Emotet binaries are delivered in .zip archive so the installed default file archive software will open the malicious file.

Once the malware infects a machine it downloads a configuration file containing the list of banks and services it is designed to steal credentials from.  Emotet also downloads a file that is used to intercept and log network traffic.

Win32/Emotet family can also steal email account credentials from installed email or messaging software. The samples analyzed by Microsoft are able to steal credentials related to the following software.

  • Eudora
  • Gmail Notifier
  • Google Desktop
  • Google Talk
  • Group Mail
  • IncrediMail
  • Mozilla Thunderbird
  • MSN or Windows Live Messenger
  • Netscape 6 and Netscape 7
  • Outlook 2000, Outlook 2002, and Outlook Express
  • Windows Mail and Windows Live Mail
  • Yahoo! Messenger

The stolen data are sent back to the C&C servers and can be used by the malware to send spam emails to other users.

Pay attention, not to open attachments either click on links that came on by suspicious emails.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  banking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment