The Emotet banking trojan operators have spent the last two months building a proxy network of IoT devices to conceal their malware's command-and-control (C&C) servers. Although using proxies for added stealth is not a new tactic, this is thought to be the first time a network of compromised devices has been used in this context.
According to security researchers from Trend Micro, who spotted the code change in Emotet, the list of hardcoded C&C IPs now includes a variety of IoT devices too. "Emotet actors are attempting to harvest vulnerable connected devices (routers, IP cameras, web servers and more) to try and use them as first layer C&C servers. This first layer serves as a proxy that redirects victims to the real Emotet C&C servers, adding another layer of complexity in C&C server communication to make it more difficult to track down the actors behind the Emotet operations. Moreover, compromising vulnerable devices gives them additional resources that they can use for other malicious purposes", stated the researchers in a blog post.
A C&C list gathered from a Shodan scan in March by the researchers shows a number of these connected devices already being used by Emotet.
Paul Edon, senior director (EMEA) at Tripwire told SC Media UK that: "The re-emergence of the Emotet crimeware is indicative of how criminal groups behind these campaigns operate: malware strains don’t simply disappear, they evolve and return with new exploits and new tactics to elude security measures.
"The news of Emotet now using IoT devices as proxies should come as a welcome reminder that nowadays anything can become an attack vector, and that organisations should never make the mistake of falling into a false sense of security over how their digital assets are protected. Anything with an internet connection should be treated with the same care that is used for more obvious entry points: even a vending machine on the office floor can be hacked and serve as a port for further infections."
The Emotet banking malware was discovered by Trend Micro in 2014, and has continued to be developed and improved by its operators. According to the United States government, an average Emotet incident costs an organisation $1m to fully remediate.