Threat Research

Emotet Redux – Lumen

Securonix

Black Lotus Labs notes Emotet’s resurgence since November 2021, with about 130,000 unique bots across 179 countries and evolving infrastructure that could serve as footholds or proxy C2s. The report highlights changes in encryption, process-list handling, and global C2 distribution, underscoring Emotet’s continued role as an initial access vector and platform for other actors such as TrickBot.
#Emotet #BlackLotusLabs #Cryptolaemus #abusech #TrickBot

Keypoints

  • Emotet has resurged since Nov 14, 2021, with roughly 130k unique bots across 179 countries, though not at its historical peak.
  • New Emotet uses elliptic curve cryptography (ECC) for network traffic with a separate data validation algorithm, unlike the prior RSA-based scheme.
  • A dedicated process list module now collects additional host information after first contacting the C2, expanding its telemetry.
  • Global C2 infrastructure shows about 77 unique Tier 1 C2s per day in early 2022, with US and Germany as leading locations and a mix of other countries.
  • The tiering model has shifted: Bot C2s are largely absent and UPnP-based bot proxies have not been observed in the resurgence so far.
  • Emotet’s bot distribution is heavy in Asia (Japan, India, Indonesia, Thailand) and includes other top countries like the US, China, Brazil, and Italy.
  • Defensive guidance emphasizes phishing awareness, patching, and monitoring, with action taken to null-route some C2 infrastructure and IoCs published on GitHub.

MITRE Techniques

  • [T1566.001] Phishing – Emotet is primarily spread through malicious email attachments and embedded URLs. “Because Emotet is primarily spread through malicious email attachments and embedded URLs.”
  • [T1090] Proxy – UPnP module to serve as proxy C2s, forwarding communications from newly infected devices to threat actor-controlled infrastructure. “UPnP module to serve as proxy C2s, forwarding communications from newly infected devices to threat actor-controlled infrastructure.”
  • [T1027] Obfuscated/Encrypted Data – ECC encryption used for network traffic with a public key and separate data validation algorithm. “the new version employs elliptic curve cryptography (ECC), with a public key to perform the encryption and a separate algorithm to perform data validation.”
  • [T1057] Process Discovery – Process list module sends the list of running processes on the host. “Initially, the new process module would only send the list of running processes.”
  • [T1082] System Information Discovery – Operators added functionality to gather additional information about the infected host. “demonstrating the ongoing evolution of Emotet’s code.”
  • [T1071.001] Web Protocols – C2 infrastructure and bot-to-C2 communications; mentions Tier 1 C2s and related traffic. “Figure 2: Daily active unique Emotet Tier 1 C2s” and related descriptions.

Indicators of Compromise

  • [Domain] none listed in the article; IoCs available on GitHub. – GitHub IoCs page referenced for additional indicators.
  • [Hash] none listed in the article; IoCs available on GitHub. – See GitHub IoCs for specific hashes.
  • [IP] none listed in the article; IoCs available on GitHub. – No explicit IPs shown here.
  • [File name] none listed in the article; IoCs available on GitHub. – No file-name IOC examples provided.

Read more: https://blog.lumen.com/emotet-redux/