We have been tracking the Emotet botnet for quite some time now and noticed that they began standing up their C2 (command and control) infrastructure again on Aug 21. Our systems caught the first servers coming alive for Epoch 2 of the botnets clients around 3pm EST. The first servers to come alive immediately began deploying modules to the clients. It wasn’t until around 4pm EST on Aug 22 that the actors began to spin up the infrastructure to handle Epoch 1. It too followed suit and began deploying modules. Since that time, we have seen it continue to push modules to gather the latest data from remaining bots.
By leveraging what was left of their botnet, the Emotet gang should be able to achieve the following goals:
- Ability to gather a large set of updated user credentials to begin their spamming operations again.
- Able to gather new contacts to leverage as recipients for any new campaigns.
- Potentially boost their infrastructure via the deployment of the UPnP module.
If they are successful with the above items, their database of real emails will grow and likely be leveraged to continue their reply chain emails that mimic spearphishing on a scale that has not been seen before.
We are closely monitoring the network for any changes and will provide updates as we can with any new or additional findings.
List of active C2 Servers seen since re-enablement:
Additional articles and insight from Cofense on Emotet: