The Emotet malware is typically used as a banking trojan and more recently for distributing other malware, but has now become more versatile via a module that allows it to steal a victim's actual emails going back six months.
Previously, Emotet was only stealing email addresses from the victim, but this new version becomes a game changer by making it easy to perform data theft and corporate espionage. To make matters worse, this new capability can be deployed on any system that is already infected by the malware.
Security researchers at Kryptos Logic observed Emotet's email harvesting module and noticed that it had become more advanced, with functions to also exfiltrate email subjects and bodies.
"It will crawl every email of every subfolder in the interpersonal message (IPM) root folder," they explain in a blog post today, adding that it targets any message sent or received in the past 180 days.
Another observation the researchers made was that only 16KB (or 16384 characters) of the email body is stolen and sent to the command and control (C2) server.
The researchers do not know the full motives as to why so much email is being stolen, but the profile of the victims suggests that they are likely to have valuable information.
"The data could be used to improve effectiveness when attempting to pivot across internal networks," Jamie Hankins, Head of Security & Threat Intelligence Research, Kryptos Logic, told BleepingComputer.
Although the threat actor is unlikely to be able to steal a full attachment, there is no doubt that they can steal the message text, Hankins says. Furthermore, the remote control capabilities allow the attacker to grab from the infected computer anything they deem valuable.
Attackers use malicious spam campaigns to distribute Emotet, but the new email-stealing plugin is not included in the initial payload. The main malware component on the compromised computer downloads the email module from Emotet's C2 server and activates it locally.
Emails are then scanned and their content is saved to a temporary file. The operation is given 300 seconds to complete, then it is terminated and the module reads the entire temporary file, making sure it is at least 116 bytes before sending it to the C2 server.
The revamped threat is more dangerous for organizations, where email communication may include sufficient information to allow preparation of targeted attacks. Back in July, the US-CERT warned organizations about Emotet's capabilities, describing it as one of the "most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors."
The Emotet developers are known to adapt their malware to merging mitigation techniques by using industry wide practices. For example, in July 2018 after US-CERT issued their security notice regarding the malware, Emotet started implementing DKIM on their hijacked domains in order to bypass mail filters.
The number of users that could be impacted by Emotet's new plugin is huge. Estimation from the company based on telemetry data from their Telltale notification service gives a baseline of a few hundred thousand infections.
The exact figure remains unknown, though, as only unique IP addresses are considered in the count, and multiple infected machines could use a single IP to connect to the internet.
Ever since it was first spotted around 2014, Emotet evolved into a multifaceted threat that can move laterally through networks without drawing attention.
It dropped off the radar at the beginning of the month according to security researcher James who told BleepingComputer that he last spotted Emotet on October 3.
"Normally there was a static trickle all the time ... and then poof gone," he told us.
Security researcher Joseph Roosen noticed the same behavior around the same period. He told BleepingComputer that Emotet's spam campaign stopped around October 5 and that about two days later the malicious documents and payloads on compromised servers no longer received updates.
There are no new spam campaigns for the time being, and the new module in Emotet has been deployed only to existing infections, based on Roosen's observations.
The researcher has been tracking Emotet botnet since November 2017 and he noticed that every now and then the operators take breaks that last for several weeks.
"I speculate that it is to rework part of their infrastructure, create new modules and come up with new infection vectors. They took a break like this from spamming in Mid May of this year only to come back strong around the end of May into June," Roosen told us.