A hacker has succeeded in replacing the payloads normally provided by the Emotet Trojan with GIF images over the last few days.
Emotet, who resumed operations after a five-month break earlier this month, is hijacking legitimate email conversations to send spear-phishing emails to the intended victims.
The new Emotet campaign will feature hundreds of thousands of spear-phishing emails daily, targeting vertical industry in the U.S. and the U.K.
However, just days after the campaign kicked off, security researchers discovered a hacker managed to hijack the distribution mechanism for Emotet and replace the payloads with GIF images.
This is likely, explains security researcher Kevin Beaumont, as the payload delivery method employed by Emotet is not secure, something that has been known for some time.
In particular , the researcher reveals that Emotet ‘s operators use webshells and various techniques such as Word documents and payload executables, and a mostly compromised distribution infrastructure, with the passwords and techniques widely known.
“The Emotet payload distribution method is super vulnerable, they deploy an open source webshell off Github into the WordPress sites they hack, all with the same password, so that anyone can modify the payloads they obtain from infected PCs,” Beaumont said last December.
The Emotet payload distribution method is super insecure, they deploy an open source webshell off Github into the WordPress sites they hack, all with the same password, so anybody can change the payloads infected PCs are receiving.
— Kevin Beaumont (@GossiTheDog) December 27, 2019
The hijacking was first detected on 21 July, when only some of the Emotet payloads were replaced by the hacker. However, over a fifth of the payloads had to be replaced within several days.
“This is still happening today, within the hour of Emotet moving them, about a quarter of the payloads that I test were replaced with GIFs,” Beaumont noted in a tweet. The next day, within 20 minutes, the payloads were replaced, indicating an automated attack.
The hijacking was also found by Cryptolaemus, a group of researchers monitoring Emotet ‘s location, showing that Emotet ‘s operators seemed to have a hard time holding the intruder out.
The researchers also pointed out that the intrusion resulted in the operators of Emotet decreasing the amount of distribution as a means of preventing the supply of GIF images.
“I believe that this morning’s lack of updates was linked to the Emotet team trying to avoid their payloads being ‘Hackerman’ [one of the photos delivered]. To our surprise, we verified with @executemalware reports that he still saw some sites appearing with Hackerman even after distro started back up around 1900 UTC with 3 new docs at all epochs, “Cryptolaemus noted.
Cryptolaemus later said that the cybercriminals regained power and started to send out spam.
#emotet update – Looks like Ivan/Emotet gang has control of things again and are pumping out the spam again this morning. All 3 botnets started between 05:00 EDT-06:00EDT or 09:00 UTC – 10:00UTC. E3 is currently only attachments but E1 and E2 are links and attachments.
— Cryptolaemus (@Cryptolaemus1) July 27, 2020
The efficacy of Emotet took a hit during the time it was hacked, but Beaumont figured out that somebody could substitute the payloads with stealthier malware rather than harmless GIFs.