For the last two months the hacking group behind the infamous Emotet banking trojan has been busy with taking over vulnerable connected devices (routers, IP cameras, web servers, etc), which they are using to create a shell around their botnet in order to hide its command infrastructure, according to the Trend Micro’s researchers.
As the report notes, this is the first time malware has been seen using infected routers and IoT devices as a proxy system that redirects victims to the real Emotet command and control servers. This technique adds another layer of complexity in C&C server communication, making it more difficult for security researchers to track down the Emotet operations.
The idea is that a machine infected with Emotet would send all the stolen data from infected hosts to these connected devices, which would then pass on the information to the real Emotet C&C servers. This lets the Emotet gang to hide the real location of their command infrastructure and prevent security researchers, hosting providers, and authorities from disrupting the botnet operations.
Usually Emotet is distributed via spam mail. Samples of Emotet found at the beginning of April showed that trojan still spreads via spam, but with the help of the trojan downloader Powload. Spam messages contain an attachment masquerading as an invoice designed to trick users into opening the ZIP file. This file contains variants of Powload and can be opened with the 4-digit password included in the body of the email. If the user enters the password, the file uses Powershell to download the Emotet’s payload.
Emotet operators have been compromising vulnerable routers and IoT devices since March. The malware is known to include a list of hardcoded IP addresses serving as its C&C servers. Investigating some of the most recent live IP addresses of known Emotet C&C servers the researchers discovered that many of them actually belonged to different types of connected devices:
The practice of using proxies between infected hosts and C&C servers is not uncommon. Some criminal groups use this method but usually they rely on more stable proxy systems comprised of hacked servers, desktop, and smartphone devices, which tend to remain up and running for longer times. Proxies made up from infected connected devices are considered less stable because not many strains of IoT malware can “survive” the reboot. But it appears that the Emotet operators are ready to take the risk to remain undetected.