Emotet gang is trying to build a shell of IoT devices around its banking botnet

Emotet group uses hacked security cameras and routers as proxy system to hide command infrastructure.

Emotet

UPDATE: Following the publication of this story earlier this morning, members of cyber-security community have highlighted several errors in the Trend Micro report on which this article is based on. The error refers to Trend Micro misidentifying the Emotet proxy system as routers and IoT devices [1, 2, 3, 4, 5, 6, 7, 8], rather then normal desktop computers sitting behind the routers, inside local networks, a technique Emotet has used for months. Although this would have been a detail hard to pick up and verify, ZDNet regrets the error, as there was at least one Twitter thread that discussed this inaccuracy prior to today's publication that we failed to find during our background research prior to publication. We've left the original article below, although, all signs point to being factually incorrect.

The operators of the Emotet banking trojan have spent the last two months taking over routers and IoT devices in order to build a cocoon around their botnet.

This marks the first time malware has been seen using infected routers and IoT devices as intermediary points for communications between infected computers and the malware's command-and-control (C&C) servers.

The idea is that a Windows computer infected with Emotet would send all the data acquired from infected hosts to these routers and IoT devices, which would then relay the information to the real Emotet C&C servers. The opposite is also valid, with the Emotet gang sending commands to the infected smart devices, which relay it to infected hosts.

By doing this, the Emotet gang is hoping to hide the real location of their command infrastructure and prevent security researchers, hosting providers, and authorities from taking down parts of their botnet.

Routers, security cameras, smart printers

The Emotet gang has been using hacked routers and IoT devices as proxies since last month, in March, according to security researchers from Trend Micro, who recently spotted this update in its code.

By scanning past samples of Emotet malware, they were able to extract the IP addresses of tens of compromised routers and IoT devices.

The list includes the IP addresses of the web dashboard of security cameras, routers, router FTP servers, webcams, and web panels for smart printers.


Type of connected device
24Web server  interface of IP camera
3Router test server
4Router
1Router FTP server
1Web cam
1Web administration for printers, network switches, etc.

The practice of using proxy networks to hide malicious traffic isn't new, but it's not been used like this before. Criminals usually employ proxy networks when connecting from their home connections to C&C servers, to hide their real location.

Some criminal groups use proxies between infected hosts and the C&C servers, but they usually employ more stable proxy systems consisting of compromised servers, desktop, and smartphone devices, which tend to remain up and running for longer times.

Proxy networks made up of infected routers and IoT devices are considered less stable because very few (proxy-capable) IoT malware strains can achieve boot persistence on infected hosts, hence support the proxy's backbone for longer periods of time.

Hence, using a router or IoT device's IP address as a hardcoded C&C address inside malware samples can lead to problems once the IoT device is reset and the malware is removed from memory.

However, it appears this is a risk the Emotet gang is willing to take for the sake of stealth.

This is also not the group's only trick. Last year, the Emotet gang split their botnet into two clusters, also in an attempt to make it harder for law enforcement officials to take it down, as they'd have to take down two different botnets at the same time, rather than just one.

Overall, the Emotet malware is by far one of the most complex and most dangerous malware strains today. The malware uses large spam campaigns to target end users, can move laterally inside enterprise networks, and has been caught mass-harvesting and weaponizing victim's emails.

The Emotet group also rents access to its botnet of infected hosts, and it has been already shown that many infections with the Ryuk and LockerGaga ransomware strains came after organizations were first hit with Emotet.

Related malware and cybercrime coverage: