Emotet malware runs on a dual infrastructure to avoid downtime and takedowns

Researchers spot unique design in the server infrastructure propping up the Emotet malware.

The Emotet malware gang is probably managing their server infrastructure better than most companies are running their internal or external IT systems.

A report published last week by Trend Micro reveals that the Emotet crew has intentionally designed its server backbone infrastructure into two separate clusters.

Researchers ended up at this conclusion after they analyzed 571 Emotet malware samples from where they extracted the IP addresses of 721 Emotet command-and-control (C&C) servers, but also six RSA encryption keys that the malware had used to encrypt the communications between infected computers and its C&C servers.

When researchers visualized the relationship between each RSA key and its set of C&C servers, the results were pretty surprising, as the Emotet infrastructure was depicted as two separate clusters that didn't communicate with each other. This was out of the ordinary, as most malware infrastructures tend to be one giant blob of interconnected servers.

emotet-dual-infrastructure.png
Image: Trend Micro

"Our initial assumption was that the two Emotet [clusters] were created for different purposes or are being utilized by different operators," said Trend Micro researchers. "However, we did not find any major difference between the IoCs under these two groups."

For instance, researchers said they've seen one cluster push a version of Emotet or other second-stage malware one day, and then see the other cluster push the exact same samples the next day. This showed that the same group of malware developers was running both clusters.

Researchers said they believe the Emotet gang divided their C&C server infrastructure in two for several potential reasons/benefits. One reason could be that this dual infrastructure makes tracking Emotet infections by security firms a much tougher job --albeit, not impossible.

Second, in case of a technical glitch or failure, the other cluster will remain online and keep the Emotet gang's operation functional.

Third, the dual infrastructure makes any coordinated law enforcement takedown a little bit harder, as authorities and cyber-security firms would need to coordinate takedowns against both clusters.

This someone unorthodox infrastructure setup is rare among malware operations, but it's not surprising that Emotet is the one that's using it. The Emotet gang has constantly released new and intriguing modules, has rolled out competent antivirus evasion tricks, and has featured good coding, something rare on the malware scene, but something that suggests that experienced malware coders are involved.

In addition to discovering Emotet's dual infrastructure, researchers also discovered that "the author of the Emotet malware may live somewhere in the UTC+10 time zone, or further east."

The Emotet malware operation, formerly a banking trojan but not repurposed into a malware downloader, has been one of 2018's most active malware threats.

Last month, Emotet gained a new module that stole the text of an infected victim's Outlook emails, something not seen in other malware droppers or banking trojans.

Last week, Emotet spam operations started imitating the email templates of major US financial institutions. The malware's spam operations also started adopting DKIM to bypass mail server spam filters.

More security coverage: