30 April 2019

Emotet group is harvesting vulnerable IoT-devices in order to build a cocoon around their botnet

Emotet group is harvesting vulnerable IoT-devices in order to build a cocoon around their botnet

For the last two months the hacking group behind the infamous Emotet banking trojan has been busy with taking over vulnerable connected devices (routers, IP cameras, web servers, etc), which they are using to create a shell around their botnet in order to hide its command infrastructure, according to the Trend Micro’s researchers.

As the report notes, this is the first time malware has been seen using infected routers and IoT devices as a proxy system that redirects victims to the real Emotet command and control servers. This technique adds another layer of complexity in C&C server communication, making it more difficult for security researchers to track down the Emotet operations.

The idea is that a machine infected with Emotet would send all the stolen data from infected hosts to these connected devices, which would then pass on the information to the real Emotet C&C servers. This lets the Emotet gang to hide the real location of their command infrastructure and prevent security researchers, hosting providers, and authorities from disrupting the botnet operations.

Usually Emotet is distributed via spam mail. Samples of Emotet found at the beginning of April showed that trojan still spreads via spam, but with the help of the trojan downloader Powload. Spam messages contain an attachment masquerading as an invoice designed to trick users into opening the ZIP file. This file contains variants of Powload and can be opened with the 4-digit password included in the body of the email. If the user enters the password, the file uses Powershell to download the Emotet’s payload.

Emotet operators have been compromising vulnerable routers and IoT devices since March. The malware is known to include a list of hardcoded IP addresses serving as its C&C servers. Investigating some of the most recent live IP addresses of known Emotet C&C servers the researchers discovered that many of them actually belonged to different types of connected devices:


The practice of using proxies between infected hosts and C&C servers is not uncommon. Some criminal groups use this method but usually they rely on more stable proxy systems comprised of hacked servers, desktop, and smartphone devices, which tend to remain up and running for longer times. Proxies made up from infected connected devices are considered less stable because not many strains of IoT malware can “survive” the reboot. But it appears that the Emotet operators are ready to take the risk to remain undetected.

Back to the list

Latest Posts

New Mirai variant utilises 13 different exploits to attack more routers and video recording devices

New Mirai variant utilises 13 different exploits to attack more routers and video recording devices

This marks the first time when all of them have been used in a single campaign together.
24 May 2019
Researchers shed some light on commands used by Zebrocy toolkit

Researchers shed some light on commands used by Zebrocy toolkit

Malware operators run commands manually to collect a vast amount of data from infected systems.
23 May 2019
Malware sample uploaded to VirusTotal linked to ongoing APT28 attack

Malware sample uploaded to VirusTotal linked to ongoing APT28 attack

The attacks have been linked to a cyber espionage group APT28.
22 May 2019
Featured vulnerabilities
Privilege escalation in libvirt
Low Patched | 24 May, 2019
Multiple vulnerabilities in OpenEMR
Medium Patched | 23 May, 2019
CSRF in WP Open Graph plugin for WordPress
Medium Patched | 23 May, 2019
Multiple vulnerabilities in cURL
High Patched | 23 May, 2019