Skip to main content

Introducing Operation Emmental: A new banking malware causing havoc around the world

A new piece of banking malware called "Operation Emmental" is targeting banks around the world, particularly in countries like Switzerland and Austria.

Operation Emmental, apparently so-named due to the full-of-holes security systems of many major banks, is designed to bypass the generic two-factor authentication mechanism that banks employ to ensure that their customers' money remains safe.

The Operation Emmental attacks are spread using phishing emails, which masquerade as legitimate mail in order to coax a user into clicking a booby-trapped link.

The attacks bypass session tokens sent by a bank's remote server to users' mobile devices via text messaging. Customers preferring to bank online are required to mandatorily enter these session tokens, to start new sessions and verify/authenticate the login credentials.

The infrastructure required to pull the attack off is not inconsequential, however. The attackers need a Windows malware binary, a malicious Android app sporting various banks' logos, a rogue DNS resolver server, a phishing Web server with several fake bank site pages, and a compromised C&C server to successfully pull off an Operation Emmental strike.

"Emmental is an attack that has very likely evolved over time," according to Trend Micro. "The fact that the most salient part of the attack—the PC malware—is not persistent likely helped the attackers keep a low profile."

"We believe this allowed them to use different infection strategies, not just through emails, although we have not been able to detect any other means."

Banking malware Zeus caused chaos over the years it was active, infecting 3.6 million PCs in the United States alone, and stealing millions of pounds from banks around the world, including in the UK. It is most often used to steal banking information through man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware.

More recently, a new premium piece of malware called Kronos has begun to be advertised on a Russian cybercriminal forum, it's capable of stealing credentials from browsing sessions in Internet Explorer, Mozilla Firefox and Google Chrome by using form-grabbing and HTML content injection techniques.

For more information on how to protect yourself from phishing emails, check out our guide on how to avoid getting stung by a spear phishing scam.