The Emotet malware family just raised the stakes by adding email exfiltration to its arsenal, thereby escalating its capabilities to cyber espionage. While it has recently made headlines for delivering ransomware payloads to United States infrastructure such as Water Utilities, Emotet has laid mostly dormant for the past month. In the past days, however, the mummy has returned just in time for Halloween as we observed a new module capable of exfiltrating email content back to the botnet’s operators.
This new capability is effectively taking all existing Emotet infections with emails and sending them back to the attacker going back 180 days in mail history.
This post will examine the new threat payload enabling Emotet mass email capture, examine the exfiltration process, and observe its global distribution.
Even protected systems can be infected by this advanced malware. Be sure to check out Telltale, our free victim notification service if you wish to check if your organization has been infected.
Previous Emotet modules already used the Outlook Messaging API to steal contact lists. This API is, essentially, an interface that allows an application to become email-ready. The most common cases of MAPI usage are Simple MAPI, included in Windows as part of the default Windows Live email client, or the full MAPI as used by Outlook and Exchange. In other words, this API gives an application access to email, if Windows is adequately configured.