A new banking malware by the name of Emotet is circulating through malicious spam containing links which claim to lead to invoices for recent financial transactions or deliveries. The malware has been specifically crafted to target customers of multiple German banks, but variants that target North American and Asian banks have been found in the wild as well. Most alarmingly, research indicates that Emotet can even steal user credentials from HTTPS banking websites that would otherwise be protected by TLS encryption.
How Not to Get Emotet
Plain and simple: Do not click on links contained within unsolicited emails, especially if those links claim to lead to banking invoices or delivery receipts. The same can be said for mysterious attachments. Just don’t open them. Ever.
What Emotet Can Do
Although Emotet’s spam link propagation method is no different than that which is used by essentially every other banking malware that tries to dupe users into exposing their credentials, its technical capabilities are. Unlike most banking malware that propagates through spam, Emotet does not lead to your typical phishing page. Instead, Emotet spam links lead to drive-by download websites, which automatically infect your computer with a malicious program that can sniff network activity.
Network sniffing malware is dangerous because it operates without direct user interaction. The Emotet download comes with a list of popular banking URLs, most of which have been discovered to be owned by German banks. If an infected user visits one of the listed URLs, Emotet is designed to record all data that is transferred between the user and that website – even if it is an HTTPS website protected by TLS encryption.
Reports also indicate that Emotet spreads the storage of its component files into multiple registry entries, in an effort to avoid antivirus programs that rely solely on file-based detection.
Emsisoft and Emotet
New malware is born on a daily basis, but since many of our users reside in Germany, we felt an explicit need to raise the warning flag on a malware that targets German banking institutions. Remember: Don’t click on unsolicited links. The same advice (and same concern) goes for all of our other users, from countries across the world as well, as spam-link malware is a propagation technique that transcends national borders and as new Emotet variants targeting new banking institutions from around the world are likely to arise.
As always, anyone running Emsisoft Anti-Malware is automatically protected from this threat. Anyone who feels they may be infected by Emotet (i.e., anyone who may have recently clicked on a mysterious, emailed link and is now seriously starting to regret it) can and should reach out to our support forum as soon as possible. We like to get rid of malware, and we’ll do it for free – even if you are not an Emsisoft customer yet.
Have a Great (Emotet-Free) Day!