[SANS ISC] Emotet Stops Using 0.0.0.0 in Spambot Traffic, (Tue, Jan 25th)

Introduction

Last week, I wrote a diary about Emotet using 0.0.0.0 in its spambot traffic instead of the actual IP address of the infected Windows host (link).

Shortly after that diary, Emotet changed from using 0.0.0.0 to using the victim’s IP address, but with the octet values listed in reverse order.

Details

During a recent Emotet infection on Tuesday 2022-01-24, my infected Windows host was using 173.66.46.112 as its source IP.  Note that my source IP has been edited for this diary to sanitize/disguise the actual IP address.  See the image below for DNS traffic representing a possible spam blocklist check by my infected Windows host.  In other malware families like Trickbot, the octet order is reversed.  But order is not reversed for this Emotet infection.


Shown above:  Possibly spam blocklist check by my Emotet-infected host on Tuesday 2022-01-24.

As seen in the above image, the following DNS queries were made:

173.66.46.112spam.abuse.ch
173.66.46.112.b.barracudacentral.org
173.66.46.112.bl.mailspike.net
173.66.46.112.spam.dnsbl.sorbs.net
173.66.46.112.zen.spamhaus.org

Again, I normally see the octet order reversed with other malware like Trickbot.  This reversed order also appeared during SMTP traffic with the command ELHO [112.46.66.173] as shown below.


Shown above:  Victim IP address in Emotet spambot traffic on Tuesday 2022-01-24.

Twitter discussion for last week’s diary indicates Emotet developers may have broken something in the spambot module to produce the previous 0.0.0.0 traffic.  I’m not sure if this new traffic–the reversed order of the victim’s IP address–is intentional or not.

Final words

You can find up-to-date indicators for Emotet malware samples, URLs, and C2 IP addresses at:

https://urlhaus.abuse.ch/browse/tag/emotet/
https://feodotracker.abuse.ch/browse/emotet/
https://bazaar.abuse.ch/browse/tag/Emotet/
https://threatfox.abuse.ch/browse/malware/win.emotet/

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[ZDNet] CISA, cybersecurity centers from Australia, NZ, UK and Canada release Log4j advisory

All posts, ZDNet

The FBI’s Bryan Vorndran urged organizations attacked through the vulnerability to contact them or CISA about the issue. Source: Read More (Latest topics for ZDNet in Security)

Read More

[NCSC-FI News] Itä-Suomen GPS-häiriöillä vaikutuksia myös hätäpuheluiden paikantamiseen

ITÄ-SUOMESSA ilmenneillä GPS-häiriöillä on ollut jonkinlaisia vaikutuksia myös hätäpuheluiden paikantamiseen. Asiasta kertoo Hätäkeskuslaitos tiedotteessa Hätäkeskuslaitoksen johtokeskuksen päällikkö Lasse Matilaisen mukaan häiriöiden vaikutukset hätäpuheluiden paikantamiseen ovat olleet kuitenkin hyvin pieniä – Häirintä ei ole kohdistunut hätäkeskuksen toimintaan vaan GPS-verkkoon, jota hyödynnetään muun muassa hätäpuheluiden paikannuksessa, tiedotteessa kerrotaan. Source: Read More (NCSC-FI daily news followup)

Read More

[HackerNews] Hackers Exploiting New Auth Bypass Bug Affecting Millions of Arcadyan Routers

All posts, HackerNews

Unidentified threat actors are actively exploiting a critical authentication bypass vulnerability to hijack home routers as part of an effort to co-opt them to a Mirai-variant botnet used for carrying out DDoS attacks, merely two days after its public disclosure. Tracked as CVE-2021-20090 (CVSS score: 9.9), the weakness concerns a path traversal vulnerability in the web interfaces of routers Source: Read More […]

Read More