New Emotet variant uses connected devices as proxy C2 servers

Pierluigi Paganini April 29, 2019

Researchers at Trend Micro have uncovered a malware campaign distributing a new Emotet Trojan variant that compromises devices and uses them as Proxy C2 servers.

Trend Micro discovered a new variant of the Emotet Trojan that is able to infect devices and use them as proxy command-and-control servers. The new variant also employs random URI directory paths to evade network-based detection rules.

“Recently, an analysis of Emotet traffic has revealed that new samples use a different POST-infection traffic than previous versions. ” reads the analysis published by Trend Micro. “It is also attempting to use compromised connected devices as proxy command and control (C&C) servers that redirect to the real Emotet C&Cs. These changes may seem trivial at first, but the added complexity in command and control traffic is an attempt by Emotet authors to evade detection. “

The experts also noticed that threat actors behind the latest Emotet campaign are actively attempting to compromise IoT devices, including routers, IP cameras, webcams, and recruit them in a first layer of the C2 infrastructure.

The compromised devices could be used by threat actors for other malicious purposes.

Emotet is delivered via spam campaigns, one of the attacks monitored in early April leveraged the Powload trojan downloader to drop the threat. The spam emails use malicious ZIP file that can be opened with the 4-digit password included in the body of the email. The ZIP archive contains variants of Powload that uses Powershell to download an executable the final Emotet payload.

Emotet 1

Since March 15, experts monitored Emotet samples using new POST-infection traffic and discovered they were also using randomly generated URI directory paths in its POST requests to evade network-based detection

The new Emotet version sends the stolen info within the HTTP POST message body, instead of using the Cookie header. Like previous versions, it encrypts data with an RSA key and AES, and encoded it in Base 64.

Emotet traffic

“The change in POST-infection traffic and the use of these connected devices show that Emotet is still a constantly evolving and resilient threat.” concludes Trend Micro.

“The malware authors are fine-tuning evasion techniques and trying to adapt to security solutions. If left unchecked and undetected, this threat may lead to a substantial loss of money and data for businesses.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – cybercrime, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment