a directed edge between two nodes if there is an email exchange between them. This information is also sent to the C&C server for further analysis. Together, the Thunderbird Email Stealer and Thunderbird Contact Stealer modules allow Emotet to gather valuable data from Thunderbird users, expanding its reach beyond just Outlook.
SmtpPasswordStealer
Another module that was introduced after Emotet’s comeback is the SmtpPasswordStealer. As the name suggests, this module is designed to steal SMTP (Simple Mail Transfer Protocol) passwords from compromised systems. SMTP is the standard protocol for sending emails and is used by various email clients and servers. By stealing SMTP passwords, Emotet can gain unauthorized access to email accounts and use them to send spam emails or carry out other malicious activities.
This module specifically targets Microsoft Outlook, Mozilla Thunderbird, and the Mail app on Mac systems. It searches for specific configuration files where email account settings, including SMTP passwords, are stored. Once the passwords are extracted, they are sent to the C&C server, giving Emotet operators unauthorized access to the compromised email accounts.
WebBrowserPasswordStealer
Emotet also introduced a WebBrowserPasswordStealer module, which is responsible for stealing saved passwords from popular web browsers. This module targets browsers such as Google Chrome, Mozilla Firefox, Microsoft Edge, and Opera. It searches for specific files where browser passwords are stored, decrypts them if necessary, and sends the stolen passwords to the C&C server.
By stealing web browser passwords, Emotet gains access to various online accounts, including email, social media, and banking accounts. This allows the cybercriminals behind Emotet to further exploit compromised systems and potentially carry out identity theft or financial fraud.
Conclusion
Since its comeback in November 2021, Emotet has continued to evolve and adapt to new security measures and changes made by software vendors. Despite the efforts of law enforcement agencies and cybersecurity professionals, Emotet remains a significant threat in the cybercrime landscape.
Emotet operators have launched multiple spam campaigns, utilizing different attack vectors and social engineering techniques to trick users into opening malicious attachments or clicking on malicious links. They have also introduced new modules, such as the Thunderbird Email Stealer, Thunderbird Contact Stealer, SmtpPasswordStealer, and WebBrowserPasswordStealer, to expand their reach and gather valuable information from compromised systems.
The continuous efforts of the Emotet operators to evade detection and stay relevant highlight the importance of proactive cybersecurity measures. Users and organizations should remain vigilant against phishing emails, ensure their systems and software are up to date with the latest security patches, and implement robust security solutions to protect against malware threats like Emotet. By staying informed and adopting best practices, individuals and organizations can reduce the risk of falling victim to Emotet and other similar malware attacks.