Security researchers have discovered a new variant of Emotet Trojan that compromises devices and uses them as proxy command and control (C&C) servers.
Security researchers at Trend Micro Labs discovered the new campaign and said that “It is also attempting to use compromised connected devices as proxy command and control (C&C) servers that redirect to the real Emotet C&Cs.”
The attackers are using this malware to compromise and collect vulnerable connected devices which can be used as resources for other malicious purposes.
Emotet Trojan is spread via spam mail with the help of the Trojan downloader Powload.
The spam email contains ZIP file which can be opened using a 4 digit password given in the body of the mail.
The ZIP file contains variants of Powload and if the user the enter the password, an executable file will be downloaded using Powershell which is final Emotet payload.
In the analysis researchers also discovered the trojan uses new POST-infection traffic technique. They were seen using randomly generated URI directory paths to evade network-based detection.
The data in the HTTP POST message body has also been changed. In the previous variant, the malware used an HTTP GET request to send victim data to the C&C server, and the data was stored in the Cookie header.
Instead of being stored in the Cookie header the newer variant sends the stolen data within the body of the HTTP POST message.
In both variants, data is encrypted using an RSA key, AES, and encoded it in a Base64.
“The change in POST-infection traffic and the use of these connected devices show that Emotet is still a constantly evolving and resilient threat. The malware authors are fine-tuning evasion techniques and trying to adapt to security solutions. If left unchecked and undetected, this threat may lead to a substantial loss of money and data for businesses.” said in the blog post published by Trend Micro Labs researchers.
You may be interested in reading:Researchers Discovered New Victim of Powerful Triton Malware