Banking credential theft hits German speakers

German language spam campaign delivers malware to steal banking credentials.

Banking credential theft hits German speakers
Banking credential theft hits German speakers

German-language speakers have again become the primary target of a variant of the Emotet banking malware infections being distributed in Germany via spam emails, following a similar attack in mid-2014.

In a Tuesday post, HeungSoo (David) Kang, with the Microsoft Malware Protection Center, wrote that the malware will steal online banking credentials whenever a user logs into a specified site, and that the list of bank websites – which includes Wells Fargo – can be changed at any time. He added that Emotet can also extract credentials from installed email and messaging software such as Google Talk and Yahoo! Messenger.

In the past 30 days, nearly half of Emotet infections have been in Germany; however, users in Austria, Switzerland, Hungary, Poland, the Netherlands, Slovenia, Czech Republic, Denmark and Slovak Republic have also been affected.

In a Wednesday email correspondence, Adam Kujawa, head of malware intelligence at Malwarebytes, told SCMagazine.com that it is possible for the attackers to change their strategy and begin targeting users and banks elsewhere.

“It would be a matter of modifying the malware to look out for (say) US email and bank keywords and maybe even modify the practices of stealing the information since many banks in the US don't follow the same security practices in other countries,” Kujawa said.

He explained, “This might mean that it's easier to steal the information or it means that it's more difficult – things like security images and access codes add an additional layer of security to the user's account and the attackers would need to compensate for that.”

So far the observed spam email messages leading to the malware are written in German, Kang wrote. One sample provided in the post purports to come from the Volksbank team and asks recipients to click a link to get more details on a deposit or statement.

Clicking the link can result in the download of a ZIP file, which contains an executable with a very long name so the .EXE extension is hidden, Kang wrote, adding the executable uses a PDF file icon to make it seem more legitimate.

Emotet also contains a spamming module – detected as Cetsiol.A – that logs into legitimate email accounts using stolen credentials and spreads the threat, Kang wrote, explaining this makes the spam emails hard to detect by filters.

“According to the analysis, the spam module actually logs into the stolen accounts of users,” Kujawa said. “This would be most effective if the module used the same system/browser combination as the victim usually uses. That way, things like cookie detection wouldn't flag to the email client that someone might be trying to break in, but rather make it look like the user is just logging into their own account.”

(First published by SCMagazine.com in the US).