Emotet malware runs on a dual infrastructure to avoid downtime and takedowns

The Emotet malware gang is probably managing their server infrastructure better than most companies are running their internal or external IT systems.

A report published last week by Trend Micro reveals that the Emotet crew has intentionally designed its server backbone infrastructure into two separate clusters.

Researchers ended up at this conclusion after they analyzed 571 Emotet malware samples from where they extracted the IP addresses of 721 Emotet command-and-control (C&C) servers, but also six RSA encryption keys that the malware had used to encrypt the communications between infected computers and its C&C servers.

When researchers visualized the relationship between each RSA key and its set of C&C servers, the results were pretty surprising, as the Emotet infrastructure was depicted as two separate clusters that didn’t communicate with each other. This was out of the ordinary, as most malware infrastructures tend to be one giant blob of interconnected servers.

“Our initial assumption was that the two Emotet [clusters] were created for different purposes or are being utilized by different operators,” said Trend Micro researchers. “However, we did not find any major difference between the IoCs under these two groups.”

For instance, researchers said they’ve seen one cluster push a version of Emotet or other second-stage malware one day, and then see the other cluster push the exact same samples the next day. This showed that the same group of malware developers was running both clusters. ..Read More..

Leave a Reply

Your email address will not be published.