Emotet Trojan Now Uses IoT And Router Devices To Evade Detection
The Emotet malware has been frequently covered here in Hackercombat since July last year. It is not uncommon for a cyber security-centered website to discuss most if not all of its infection instances since it is a very complex banking trojan which continues to receive enhancements from its authors. This time around, we will cover Emotet’s newest campaign targeting that began two months ago, as it targets vulnerable IoT devices and routers in order to grow the botnet further. By using vulnerable routers and IoT devices, Emotet can use them to camouflage its fleet of zombified desktop, laptop, and server.
With the addition of new members of the botnet, the heavy hitters (laptop, desktop, and servers) can now send data to the series of IoT and router members of the botnet before it reaches the actual command and control servers. This way, the discovery of the C&C servers is harder for the security researchers, as the path of the data transfer gets obscured by the thousands.
“Recently, an analysis of Emotet traffic has revealed that new samples use a different POST-infection traffic than previous versions. It is also attempting to use compromised connected devices as proxy command and control (C&C) servers that redirect to the real Emotet C&Cs. These changes may seem trivial at first, but the added complexity in command and control traffic is an attempt by Emotet authors to evade detection. These discoveries also show that the malware is being used to compromise and collect vulnerable connected devices, which could become resources for other malicious purposes,” explained a TrendMicro blog.
The newly updated Emotet malware not only depend on spam emails to spread as it had always been, certain copies of Emotet malware that TrendMicro got a hold of showed an indication that is using another trojan in order to propagate. Named Powload AKA Trojan.W97M.POWLOAD, as it executes it takes advantage of a Windows Powershell command in order to download the rest of Emotet into the system. Also, the spam emails campaign that carries Emotet were made more convincing, as the malicious attachment is in a password-protected zip format. The user is then instructed to open the file with the provided password in the body of the email. This method helps makes the email attachment sound legitimate, as many legitimate emails with clean attachments use such technique in sending files to multiple users.
“Newer traffic shows something different. Actors stayed away from using the Cookie header and changed the HTTP request method to POST. The data is still encrypted with an RSA key and AES, and encoded in Base 64. However, instead of being stored in the Cookie value, it was put in the body of the HTTP POST message. This change adds another layer of complexity to help the malware evade detection or delay further investigation if it is detected,” added TrendMicro.
As more and more command and control servers are made online by the Emotet hacking group, the harder it is to identify the perpetrators of the malware. TrendMicro detected instances where they were led to C&C-like behavior, but it turns out it was just an infected router, another one was a Digital Video Recorder that so happened to be online and infected by Emotet as well. This created a situation where Emotet itself is artificially creating multiple numbers of dummy nodes in order to seriously bypass detection.