Emotet malware gang is mass-harvesting millions of emails in mysterious campaign

New Emotet module deployed within the last 24 hours has experts worried that Emotet gang is preparing a more dangerous attack.
Written by Catalin Cimpanu, Contributor

inbox icon

(Image: Getty Images/iStockphoto)

A notorious malware family that has been on a resurgent path since last year has received a major update this week that will send shivers down any organization's back.

According to a report from Kryptos Logic shared earlier today with ZDNet, the Emotet malware family has started mass-harvesting full email messages from infected victims, starting yesterday.

The Emotet group has been around since 2014 when they first started spreading a first version of their malware that worked as a full-on banking trojan.

This banking trojan was never a massive threat and slowly died out over the next three years, all until the summer of 2017, when the Emotet gang revamped their code and turned the original Emotet banking trojan into a modular malware family that was primarily used to infect users and then deliver secondary payloads for other criminal groups --in a classic pay-per-install scheme.

Ever since last summer, Emotet has been growing, and growing, and growing --both in capabilities and in the number of victims it has infected.

The malware has become so ubiquitous nowadays that the US Department of Homeland Security has issued a security advisory over the summer, warning companies about the threat that Emotet poses to their networks.

The danger comes from the fact that Emotet has a multitude of smaller modules that it downloads once it gains an initial foothold. Some of these modules, such as its SMB-based spreader that moves laterally throughout networks, can wreak havoc inside large organizations.

Furthermore, Emotet also never comes alone, often dropping even more potent threats, such as the TrickBot infostealer, remote access trojans, or, in the worst case scenarios, even ransomware.

Notorious is the case of the city of Allentown, where an Emotet infection has spread in every corner of the city's network and downloaded even more malware, and, in the end, the municipality decided to pay nearly $1 million to rebuild its infrastructure from scratch.

But according to Kryptos Logic, starting today, network admins also have another problem --the exfiltration of sensitive user data from infected systems.

This takes place via a new Emotet module that blindly harvests all emails sent or received from infected hosts from the past 180 days. The good news is that this module only works with Microsoft Outlook installations... for now.

While this Emotet module seems to be rather harmless, cyber-criminals stealing sensitive emails is akin to a data breach, and many organizations infected with this Emotet module will likely need to initiate data breach notification procedures and all the negative press that comes with such announcements.

Furthermore, as Kryptos Logic researchers also pointed out, Emotet's mass email harvesting module is very out of the ordinary. Most malware that has engaged in anything similar has only collected email addresses, which it later used to power new spam campaigns.

This non-discriminatory data collection module suggests that the Emotet gang is likely looking for something specific on infected computers.

"We believe the module is currently being widely deployed, but it is too early to confirm if it is geographically specific," Jamie Hankins, Head of Security & Threat Intelligence Research, Kryptos Logic, told ZDNet in an interview. "Emotet is not limited to any geography, but it tends to focus on US victims."

Currently, Kryptos Logic estimates the size of the Emotet botnet to at least "a few hundred thousand," but that data is based on unique IP addresses, and the actual number of infected computers may be even higher, as some systems may be behind the same IP addresses.

"There isn't enough information available to be able to tell what the threat actors motives are at the moment," Hankins said.

The expert adds that typical commodity botnets have specific targets for immediately monetizing stolen data, such as selling banking details, credentials, etc., but mass-harvesting the content of email messages is not something that can be converted into an immediate profit.

"The addition of this module really tells us they're maybe preparing a more specific campaign from the information they leverage in this email exfiltration," Hankins told us.

What that purpose may be is everyone's guess. They may be searching emails for corporate communications that can be leveraged in BEC scams, they may be searching for inter-banking related data so they can plan bank cyber-heists, or they may be searching for large corporations where they can deploy ransomware.

But as Hankins has also pointed out, they may also be working with a foreign government, just like the author of the ZeuS botnet/banking trojan has done in the past.

"Harvesting data in mass provides a weaponized data-driven analytical capability which should not be underestimated, given how effective surgical email leaks have been in the recent past," the expert said.

All in all, "Emotet is arguably one of the most advanced botnets ever created," and companies shouldn't allow any Emotet infection to linger on their networks because, as it's been recently proven in the past year, an Emotet infection tends to get very bad, very fast.

These are 2018's biggest hacks, leaks, and data breaches

Related stories:

Editorial standards