Delaware, USA – April 30, 2019 – The authors of Emotet improved their trojan by starting to use the new evasion technique and adding a new level of protection for command-and-control infrastructure. Researchers at Trend Micro analyzed the new campaign and discovered that the trojan now does not send data directly to C&C servers, instead the data is sent to compromised IoT devices, from where it is redirected to the attackers’ servers. Most of the compromised devices are security cameras and routers. Using a layer of IoT devices, attackers protect their infrastructure from being uncovered and disabled by security researchers. Moreover, since mid-March, the trojan sends the collected information via HTTP POST requests, rather than HTTP GET, as it was before. Now encrypted data is stored in the body of the message instead of the Cookie header, and a URI directory path id filled with randomized words and numbers hardcoded in the Trojan executable. Using this technique allows malware to evade network-based detection and makes malicious traffic less suspicious for common security solutions.
Infection occurs through spam emails as before, but adversaries began to use the archived Powload dropper as a malicious attachment. If the user unpacks the attached archive, a new version of Emotet malware is downloaded and installed on the system. At the end of last year, the Trojan received an email harvesting module, and this spring, cybercriminals started to use the collected information to create phishing emails. Other groups use this botnet to distribute own malware, and researchers also link Ryuk and LockerGoga ransomware large-scale attacks with Emotet infection. To monitor security events on Windows systems and timely detect any suspicious activity, you can use your SIEM with the Sysmon Framework rule pack: https://my.socprime.com/en/integrations/sysmon-framework-arcsight