According to security company Trend Micro, Emotet‘s malware corridor deliberately designed the backbone infrastructure of its server in two separate clusters.
Researchers analyzed 571 samples of the group’s malware. It allowed them to extract the IP addresses of 721 Emotet command-and-control (C&C) servers, as well as six RSA encryption keys that the malware had used to encrypt communications between affected computers and C&C servers.
When the relationship between the RSA keys and the corresponding C&C servers was visualised, it became clear that there were two separate clusters that did not communicate with each other. This is strange, because most malware infrastructures consist of a large group of connected servers.
At first, the researchers thought that the two clusters were made for different purposes, or that they were used by other operators. Trend Micro, however, found no major differences between the IoCs among these two groups.
For example, the researchers say that they saw a cluster push a version of Emotet or other malware, and the next day they saw the other cluster send exactly the same samples. This showed that the same group of malware developers managed both clusters.
The researchers think that the grouping has set up the C&C server infrastructure in two parts for various reasons and benefits. For example, the infrastructure makes it more difficult for security companies to track Emotet infections. If a technical error occurs, the other cluster will also remain online and the malware campaign will remain active.
The third benefit is that it is more difficult for authorities to take the campaign offline, as authorities and security companies have to carry out the attacks against both clusters.
The researchers further discovered that the “author of the Emotet malware may live in the UTC+10 time zone, or even further east”. This time zone includes North Asia, including part of Russia, Antarctica, and Oceania (including Australia). Emotet’s malware operation is one of the biggest active malware threats of 2018. It was a banking trojan before.This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.