German bank customers are under attack from a trojan campaign that can dodge anti-spam controls, according to the software vendor Microsoft.
A variant of the troajn Emotet is delivered as a zipped folder (.zip) which is said to be able to bypass security controls if the archiving software used to unzip the file does not warn users that executables can contain malicious code. The trojan is also also abusing legitimate email accounts.
Microsoft said: "The spam emails are difficult for email servers to filter because the spamming component uses compromised email accounts to send malicious links."
"Emotet’s spam module logs into email services using the stolen account name and passwords to send the spam. This means traditional anti-spam techniques, such as callback verification, won’t be applicable because the email is sent from a vetted or legitimate email address."
Also targeting German speakers in Austria and Switzerland, the hackers are said to use phoney emails disguised as phone bills and invoices from banks and PayPal to deliver the Emotet variant that has been circulating since November.
Once installed, Emotet.C will track network activity to steal online banking logins using a list of URL paths to trigger the theft, and can also steal credentials from email and messaging accounts on software such as Google Talk, Mozilla Thunderbird and Microsoft Outlook.
"It sends the stolen information back to its command and control (C&C) server where it is used by other components to send spam emails to spread the threat," Microsoft added.