EMOTET the banking malware which uses network sniffing

Security Experts at Trend Micro have detected a new banking malware, dubbed EMOTET, which uses also network sniffing capabilities to target bank customers.

The number of malware families designed to hit the banking industry is in constant growth, in this first part of the year the number of malicious code used by cyber criminals for banking frauds is doubled.

The malware authors are implementing techniques even more sophisticated to deceive customers of financial institutions, until now security experts have detected malicious codes, working on both mobile and desktop devices, that include a data stealer component to capture victim’s credentials, but this time the threat is more complex. It is known that the cybercrime ecosystem is very prolific, security researchers from the security firm Trend Micro have discovered a banking malware, dubbed EMOTET, which also implements a “sniff” network feature activity to steal sensitive information of other users on the same network segment.

“In fact, 2013 saw almost a million new banking malware variants—double the volume of the previous year. The rise of banking malware continued into this year, with new malware and even new techniques.” states Joie Salvio, Threat Response Engineer at Trend Micro.

The banking malware EMOTET was spread with a classic email spam campaign, attackers try to deceive the banking customers letting them into believing that the malware is a legitimate shipping invoice sent by the bank.

“Users who receive these emails might be persuaded to click the provided links, considering that the emails refer to financial transactions.” states Trend Micro.

The spammed email includes a link that must be clicked by the targeted users to allow malware get installed. Once installed the malware download further components, including DLL and configuration files that contain information about the targeted banks.

EMOTET is largely infecting the EMEA region, the Middle East and Africa, Germany in the country most targeted by the malicious code.

The EMOTET malware also download a .DLL file that is injected to all processes and is responsible for sniffing activities, it intercepts and logging outgoing network traffic.

“When injected to a browser, this malicious DLL compares the accessed site with the strings contained in the previously downloaded configuration file. If strings match, the malware assembles the information by getting the URL accessed and the data sent. The malware saves the whole content of the website, meaning that any data can be stolen and saved.

EMOTET can even “sniff” out data sent over secured connections through its capability to hook to the following Network APIs to monitor network traffic:”

  • PR_OpenTcpSocket
  • PR_Write
  • PR_Close
  • PR_GetNameForIndentity
  • Closesocket
  • Connect
  • Send
  • WsaSend

EMOTET has the capability to bypass HTTPs connection to allow attackers to store victims’ personal information and banking credentials even are transmitted over a secure connection.


EMOTET stores stolen data in the separate entries in encrypted format, in this way it could evade security checks, as explained by Salvio the technique can also serve as “a countermeasure against file-based AV detection for that same reason.”



The implementation of network sniffing functionality makes EMOTET malware very dangerous, the features described was specifically designed to avoid detection.

“As EMOTET arrives via spammed messages, users are advised not to click links or download files that are unverified. For matters concerning finances, it’s best to call the financial or banking institution involved to confirm the message before proceeding.” suggests Trend Micro.

Pierluigi Paganini

(Editor-In-Chief, CDM)




FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase