Emotet Malware, the Most Probable Malware of the Year

The Emotet malware, which the US government warned about in July, has been provided with a new feature that allows it to steal all e-mails of 180 days and newer on infected systems. As a result, tens of thousands of systems may experience data leaks in the coming days.

According to the Computer Emergency Readiness Team of the American government agency, US-CERT, Emotet is one of the most harmful malware specimens this year for both the public and private sectors. Emotet is a Trojan that mainly acts as a downloader or dropper of other malware, opening more risks for the users after the infection settled-in. This could, for example; the payload may range from a bank account malware or ransomware. Emotet is not revolutionary when it comes to its propagation channel, as it is mainly distributed via infected e-mail attachments.

Earlier this month it was announced that an American water company, Onslow Water and Sewer Authority (ONWASA) had been hit by Emotet last Oct 4, 2018. ONWASA has received an e-mail from the cybercriminals with the request to pay a ransom, but the company refuses. It states that it will rebuild the databases and re-establish PCs again. The recovery can therefore take several weeks, so is the expectation.

In addition to installing other malware, the security researchers have discovered that Emotet is equipped with the capability to steal address books from Thunderbird and Outlook users on infected systems, hence increasing its propagation speed. Now a new module has been added to the malware, which means that all e-mails of 180 days and newer are also stolen. As a result, the malware is also capable of cyber espionage, says Kryptos Logic. The module to steal e-mails can also be rolled out under existing infections, making Emotet the virus to watch out for email administrators.”In other words, Emotet is likely to steal numerous e-mails from tens of thousands of infected systems in the coming days,” says the security company. Earlier, the US-CERT reported that Emotet is difficult to remove because of the worm-like way it can spread within networks.

“Previous Emotet modules already used the Outlook Messaging API to steal contact lists. This API is, essentially, an interface that allows you to become an email-ready application. The most common cases of MAPI are simple MAPI, included in Windows as part of the default Windows Live email client, or the full MAPI as used by Outlook and Exchange. In other words, this API gives an application access to email, if Windows is adequately configured. This configuration is the first thing checked by this module. In particular, the registry key HKLM\Software\Clients\Mail\Microsoft Outlook is accessed, and the value DllPathEx -the path to the mapi32.dll module is expected to be defined. If it is not, the module does not proceed. Note that the registry key is pretty specific-there are other plausible keys, such as HKLM\Software\Clients\Mail\Windows Mail, that this module simply does not care about,” explained Kryptos Logic.

Security experts advise users to practice safe computing standards, especially ending the bad habit of opening email attachments at random. Emotet was already a serious threat, incurring costs or up to 1 million dollars for a single incident. The United States is the most affected country, while Emotet’s operators may have simply moved to server-side extraction, harvesting data in mass provides a weaponized data-driven analytical capability. This should not be underestimated, given how effective (or better yet ineffective) post infection virus clean-up is.