Account Statement Phish Masks Emotet Malware to German Users

December 04, 2014
Proofpoint Staff

Over the past several weeks Proofpoint has detected a fairly large and ongoing unsolicited email campaign that targets German users with phishing lures designed to deliver the Emotet banking Trojan. The campaign stays ahead of reputation filters by cycling through several dozen compromised websites per day, delivering emails that employ a common and effective “account notification” template.

The messages themselves include a URL that appears to link to a PDF file with information about the recipient’s new mobile service account. In reality, however, the URLs lead directly to a zipped executable file that downloads the “Emotet” banking Trojan as payload.

Because many users now know not to click on executables or to open ZIP or other archive files from unknown or untrusted sources, this archive file masks itself as a PDF: here the URLs used in the messages redirect to ZIP files with names designed to match the email lure (such as "") with executable files inside. The executable filenames also match the campaign lure (for example, "rechnung_vodafone_de_2014_11_930370025_023870007_11_de_0000003837_888830.exe"), and use a PDF or similar file icon to trick users into thinking the executable file is actually a safe document.  (In truth, PDF files can be as dangerous as a zipped executable, but experience shows that users are less wary of them than of other file types.) The combination of the file icon and a long filename that hides the extension make for a convincing ruse:

Antivirus detection of this malware is poor, with fewer than 4% of antivirus engines detecting the file at time that the sample was submitted.

This campaign highlights the regional variability of malware. While phishing may be the international languageof bad actors, effective malware – and particularly banking Trojans – depends on a strong regional or language bias. (Emotet is an apt example of this: originally discovered in Germany, it has spread to other countries as attackers have adapted it to local languages.) Most modern banking Trojans operate via “web injects,” in which they re-create fake parts of banking websites in order to steal users’ information. For these to work correctly, they need to be language-appropriate and convincing (that is, few or no obvious typos and grammatical errors), and they also need to be customized to each bank’s website.

This degree of specialization means that attackers will use a piece of malware as widely as possible within a particular region in order to maximize the return on their investment, and as a result we find that banking Trojans, more than most types of malware, tend to have strong regional bias. Clearly, cybercriminals still see opportunity for their Emotet malware in Germany, and German-speaking organizations and users should remain on alert for these phishing campaigns.