Emotet steals attachments from victims’ emails

Earlier this month, the Emotet botnet, which has shown no signs of life since February 2020, returned to service with a new spam campaign. Researchers have now reported that Emotet steals attachments from victims’ emails for greater credibility in subsequent social engineering attacks.

After observing the malware, cybersecurity specialists reported that the botnet had changed its main payload and is now distributing the QakBot (QBot) banking trojan, which replaced the usual TrickBot botnet. Although unknown “well-wishers” are trying to sabotage the botnet, replacing payloads with GIF files, Emotet has become one of the most active threats in recent weeks.

Now the Bleeping Computer magazine, citing Binary Defense experts, reports that the malware has acquired new functionality: it has begun to steal contact lists, content and attachments from its victims’ emails so that the sent spam looks as authentic as possible for the future recipients.

“This is the first time the botnet is using stolen attachments to add credibility to emails as Binary Defense threat”, — told BleepingComputer IS-researcher James Quinn.

This information confirmed well-known and information security researcher Markus Hutchins (aka MalwareTech), who notes that the module for data theft appeared at Emotet around June 13 of this year.

“Can confirm Emotet’s email stealer module was updated to steal email attachments, as well as email content and contact lists. The additional code was added around June 13th”, — wrote MalwareTech in his Twitter.

Experts write that the new tactic allows Emotet operators effectively use the intercepted emails and “join” users’ conversations. This means that a malicious URL or attachment will end up looking like new posts in an ongoing discussion. Moreover, unlike other attackers, Emotet operators use not only the “body” of the stolen messages, but also attachments from them.

“Emotet seems to be using not only stolen email bodies, but is now including stolen attachments as well. This lends to even more authenticity in their phishing emails. In one example we found 5 benign attachments and a dropper link within the templated portion of the email”, – say Cofense analysts.