Cyber Security

Emotet growing slowly but steadily since November resurgence

Published

on

The notorious Emotet botnet is still being distributed steadily in the wild, having now infected 130,000 systems in 179 countries.

While this may be a far cry from the once global dominance of having 1.6 million devices under its control, it shows that the malware is still undergoing a resurgence, and it’s getting stronger every day.

Emotet activity stopped in 2019 while its second major version was in circulation, and the malware returned only in November 2021, with the help of Trickbot.

A few days later, it became evident that the revival was orchestrated by the Conti ransomware gang, who use it to gain initial access to corporate networks.

Apart from the initial infection, Emotet continued to skip dropping TrickBot as a payload and went straight to dropping the Cobalt Strike pentesting tool for quick remote access to networks.

Tracking the Emotet botnet

Threat analysts at Black Lotus labs have decided to take a deeper dive into Emotet’s “Epoch 3” to identify new features and map its current distribution patterns.

As you can see below, the Emotet botnet started to slowly recreate itself in November, seeing far greater distribution via phishing campaigns beginning in January 2022.

Emotet bot distribution shifting up a gear (Black Lotus)

The new Emotet campaign also includes features like a new elliptic curve cryptography (ECC) scheme that replaces the RSA encryption used for network traffic protection and validation.

Moreover, the new version deploys a process list module only after the connection with the C2 has been established.

Additionally, the malware authors have now added more info-gathering capabilities for better system profiling, whereas previously, Emotet would only send back a list of running processes.

The malware now beacons additional info about the host (Black Lotus)

Slow and steady restructuring

Black Lotus reports that there are currently 200 unique C2s supporting Emotet’s resurgence, with the number growing slowly but steadily. The average number of days of activity for C2s is presently 29.

Emotet tier 1 C2s observed in recent months (Black Lotus)

Like in previous epochs, most of Emotet’s C2 infrastructure is located in the United States and Germany, followed by France, Brazil, Thailand, Singapore, Indonesia, Canada, the UK, and India.

Emotet C2 locations (Black Lotus)

In terms of bot distribution, the focus is Japan, India, Indonesia, Thailand, South Africa, Mexico, United States, China, Brazil, and Italy.

Heatmap of Emotet victims (Black Lotus)

The threat analysts believe that the reason for the first three countries topping this list is the number of outdated and thus vulnerable Windows machines in the region.

As Bleeping Computer reported in December, Emotet exploited a Windows AppX Installer spoofing vulnerability to install apps on the host directly from a remote source.

Microsoft addressed the problem, tracked as CVE-2021-43890, with December 2021 Path Tuesday, but due to slow upgrade uptick vs. the projected benefits of keeping the abused MSIX handler, the software giant decided to simply disable it.

Still, pirated Windows copies that have purposefully severed their connectivity to Microsoft update servers remain vulnerable to malware attacks like Emotet’s.

Source: https://www.bleepingcomputer.com/news/security/emotet-growing-slowly-but-steadily-since-november-resurgence/

Click to comment
Exit mobile version