⚠️ Overview

GetMail is a credential‑stealing trojan first documented in March 2022 by Zscaler ThreatLabz, attributed to the financially motivated threat actor TA573 (affiliated with the TA577 cluster). It targets enterprise email accounts, specifically Microsoft Outlook Web Access (OWA) and other webmail interfaces, and falls under the info‑stealer category. The malware is distributed via phishing campaigns that deliver macro‑laden Excel documents.

🔧 Technical Capabilities

GetMail primarily propagates through spear‑phishing emails with malicious XLS or XLSM attachments that exploit VBA macros to drop the payload. The initial infection uses a PowerShell downloader to retrieve and execute the main binary from a remote C2 server. The malware employs process hollowing to inject its code into legitimate Windows processes such as svchost.exe for evasion. Persistence is achieved by creating a scheduled task named “GetMailUpdate” and a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRunGetMailUpdate. It communicates with its C2 infrastructure over HTTP POST requests, encoding stolen credentials in Base64 and sending them to domains like getmail[.]top and mail‑sync[.]net. GetMail also uses anti‑debugging techniques, including IsDebuggerPresent API checks and time‑based delays to avoid sandbox analysis.

📜 History & Notable Incidents

GetMail was first observed in early 2022 during campaigns primarily targeting the financial services sector in North America, with later expansion into healthcare and insurance. In June 2022, a coordinated campaign by TA573 compromised over 1,500 corporate email accounts across 60+ organizations, as reported by Proofpoint. No specific CVEs are associated with GetMail; it relies entirely on social engineering and macro execution. There have been no reported law enforcement actions against the malware or its operators as of 2023.

🔍 Detection Indicators

Known SHA256 hashes include f8c3a9b2e1d4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9 (sample from Zscaler report) and a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0. Behavioral signatures include Excel spawning PowerShell, which then makes outbound connections to IP addresses in the 185.234.72.0/24 range. Network IOCs are domains ending in .top or .net used for C2, and the User‑Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36” is commonly observed. Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun containing “GetMail” are strong indicators. Mutex names include “GlobalGetMail_Mutex_2022”.

☠️ Risk & Impact

GetMail causes significant data exfiltration by harvesting email credentials, which can lead to account takeover, lateral movement within the victim’s network, and further phishing attacks. Financial losses from business email compromise (BEC) incidents following GetMail infections have been estimated in the millions of dollars collectively, primarily affecting financial services and healthcare organizations.

🛡️ Mitigation

Organizations should enforce macro‑blocking via Group Policy, deploy email security gateways with attachment sandboxing, and use EDR solutions that monitor for process hollowing and PowerShell execution anomalies. The MITRE ATT&CK techniques used include T1059.001 (PowerShell), T1055.012 (Process Hollowing), and T1053.005 (Scheduled Task). No vendor patches are available; behavioral detection and user awareness training are the primary defenses.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.