Just weeks after it came across banking malware that abuses a Windows security feature, Trend Micro has spotted yet another banking malware dubbed EMOTET, which “sniffs” network activity to steal information. It looks at data sent over secured connections through its capability to hook to a range of network APIs to monitor network traffic.
Trend Micro said that this method of information theft is notable because other banking malware often rely on form-field insertion or phishing pages to steal information.
“The use of network sniffing also makes it harder to users to detect any suspicious activity as no changes are visibly seen (such as an additional form field or a phishing page),” the firm noted in an analysis. “Moreover, it can bypass even a supposedly secure connection like HTTPs which poses dangers to the user’s personal identifiable information and banking credentials.”
Taken together, users can go about with their online banking without every realizing that information is being stolen.
“With online banking becoming routine for most users, it comes as no surprise that we are seeing more banking malware enter the threat landscape,” the researchers said. “In fact, 2013 saw almost a million new banking malware variants—double the volume of the previous year. The rise of banking malware continued into this year, with new malware and even new techniques.”
Like many forms of malware, EMOTET variants arrive via spammed messages with malicious links, usually about bank transfers and shipping invoices. Variants analyzed by engineers show that certain banks from Germany were included in the list of monitored websites. And once those links are clicked, the malware downloads its component files, including a configuration file that contains information about banks targeted by the malware.
“Another downloaded file is a .DLL file that is also injected to all processes and is responsible for intercepting and logging outgoing network traffic,” Trend Micro researchers noted. “When injected to a browser, this malicious DLL compares the accessed site with the strings contained in the previously downloaded configuration file.”
If strings match, the malware assembles the information by getting the URL accessed and the data sent. The malware saves the whole content of the website, meaning that any data can be stolen and saved.
Also notable is that registry entries play a significant role in EMOTET’s routines. The downloaded component files are placed in separate entries, and the stolen information is also placed in a registry entry after being encrypted.
“The decision to storing files and data in registry entries could be seen as a method of evasion,” researchers said. “Regular users often do not check registry entries for possibly malicious or suspicious activity, compared to checking for new or unusual files. It can also serve as a countermeasure against file-based AV detection for that same reason.”
Because EMOTET arrives via spammed messages, users are advised not to click links or download files that are unverified. For matters concerning finances, it’s best to call the financial or banking institution involved to confirm the message before proceeding.