Researchers from phishing protection company Cofense say that an active botnet spreading the Emotet banking trojan has significantly upgraded its ability to spoof financial organizations with convincing phishing lures.
The U.S. Computer Emergency Readiness Team (US-CERT) describes Emotet as “an advanced, modular banking Trojan” that is “among the most costly and destructive malware” for both public and private organizations.
In a report published Tuesday, Cofense says it has observed Geodo — another name for Emotet — using an new scraping feature that makes its better at impersonating organizations. The feature lifts templates stolen from infected victims, then uses the templates to upgrade its phishing campaigns a with credible aura of a financial institution, according to the report.
Previously known capabilities of Emotet’s spamming module include the ability to steal contact lists and email signatures, Cofense says. But in this campaign, researchers say there’s the added capability to scrape up to 16 kilobytes of “raw emails and threads.”
Aaron Higbee, co-founder and chief technology officer of Cofense, told CyberScoop in an email that this new module was added to Emotet Nov. 6, scraping email templates from old and new infected hosts.
“Cofense Intelligence assessed [the scraping functionality] would either be used to bolster the actors’ social engineering efforts, using the stolen data to refine Geodo phishing templates, or for direct revenue generation – selling the raw message content to the highest bidder,” the report says.
The emails observed by Cofense are made to look like banking statements and payment authorizations, among other things. But embedded in the emails are links that lead to Microsoft Word documents with malicious macros. If enabled, the macros drop Emotet onto the victim’s system, which is then able to download additional malware.
The IcedID banking trojan was the second payload for some instances in this campaign, Cofense says. Higbee said the malware is designed to steal credentials to the victim’s financial accounts. IceID bears similarity to Trickbot, another common banking trojan, but targets a broader range of financial information, including investment banking accounts, he said.
Cofense says it has been tracking Emotet activity for some months and that it “continues to grow.” The botnet’s clients have reportedly amassed 20,000 credentials and millions of email targets in the time that the company has tracked it.