Emotet gang is trying to build a shell of IoT devices around its banking botnet
The operators of the Emotet banking trojan have spent the last two months taking over routers and IoT devices in order to build a cocoon around their botnet.
This marks the first time malware has been seen using infected routers and IoT devices as intermediary points for communications between infected computers and the malware’s command-and-control (C&C) servers.
The idea is that a Windows computer infected with Emotet would send all the data acquired from infected hosts to these routers and IoT devices, which would then relay the information to the real Emotet C&C servers. The opposite is also valid, with the Emotet gang sending commands to the infected smart devices, which relay it to infected hosts.
By doing this, the Emotet gang is hoping to hide the real location of their command infrastructure and prevent security researchers, hosting providers, and authorities from taking down parts of their botnet.
Routers, security cameras, smart printers
The Emotet gang has been using hacked routers and IoT devices as proxies since last month, in March, according to security researchers from Trend Micro, who recently spotted this update in its code.
By scanning past samples of Emotet malware, they were able to extract the IP addresses of tens of compromised routers and IoT devices.
The list includes the IP addresses of the web dashboard of security cameras, routers, router FTP servers, webcams, and web panels for smart printers.
|Type of connected device|
|24||Web server interface of IP camera|
|3||Router test server|
|1||Router FTP server|
|1||Web administration for printers, network switches, etc.|
The practice of using proxy networks to hide malicious traffic isn’t new, but it’s not been used like this before. Criminals usually employ proxy networks when connecting from their home connections to C&C servers, to hide their real location.
Some criminal groups use proxies between infected hosts and the C&C servers, but they usually employ more stable proxy systems consisting of compromised servers, desktop, and smartphone devices, which tend to remain up and running for longer times.
Proxy networks made up of infected routers and IoT devices are considered less stable because very few (proxy-capable) IoT malware strains can achieve boot persistence on infected hosts, hence support the proxy’s backbone for longer periods of time.
Hence, using a router or IoT device’s IP address as a hardcoded C&C address inside malware samples can lead to problems once the IoT device is reset and the malware is removed from memory.
However, it appears this is a risk the Emotet gang is willing to take for the sake of stealth.
This is also not the group’s only trick. Last year, the Emotet gang split their botnet into two clusters, also in an attempt to make it harder for law enforcement officials to take it down, as they’d have to take down two different botnets at the same time, rather than just one.
Overall, the Emotet malware is by far one of the most complex and most dangerous malware strains today. The malware uses large spam campaigns to target end users, can move laterally inside enterprise networks, and has been caught mass-harvesting and weaponizing victim’s emails.
The Emotet group also rents access to its botnet of infected hosts, and it has been already shown that many infections with the Ryuk and LockerGaga ransomware strains came after organizations were first hit with Emotet.