The New Evasion Technique of Emotet Malware allows hacked devices to be used as proxy command and control (C&C) servers

cyber attack

A new wave of Emotet malware using a special evasion technique to fool and hide POST infection traffic, avoid detection and safety software.

It also initially uses hacked devices as proxy servers (C&C) and redirects traffic to the original C&C server that operates by threat actors.

Emotet is one of the notorious families of malware that infects various victims and earns millions of dollars from the malware operator.

Researchers say that traffic is very complex to analysis because of different evasion techniques used in the development phase of malware.

Emotet’s malware is used to jeopardize and collect connected devices vulnerable to other malicious ends.

Infection of Emotet malware process

Initially, a spam email campaign with the attached invoice file and body of email leads users to download malicious files.

The zip attached is a password-protected file that requires users to obtain the password from the email body and use it for opening the file.

“A look at the ZIP file shows that there are download variants (detected as Trojan. W97M.POWLOAD). When you enter your password, Powershell uses a Powershell to download an executable file, which is Emotet’s payload. ”

The randomized number used as a URI directory path is included in a post-infection traffic, which helps prevent malware network based detection.

Emotet’s previous version of malware used the HTTP GET application to send victim information to the C&C server and the stolen data store on the cookie header.

However, the new wave actors did not use the header of the Cookie and changed the HTTP request method to POST. The data is still encoded in base 64 with an RSA and AES key.

According to Trend Micro Research, ‘ We have examined some of the latest live IP addresses for known C&C server servers, and found that they are different types of connected devices: One is the router’s web interface and another is a built-in printer and other device management server. ‘

This new campaign has been observed since March and it is clear that the connected devices are used for the additional layer of server communication command & control.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.