New report pins down location of Emotet RAT controllers

News by Rene Millman

Most controllers linked to the Emotet RAT resolve to IP addresses in South America, according to a report by Recorded Future.

Most controllers linked to the Emotet RAT resolve to IP addresses in South America, according to a report by Recorded Future.

A significant proportion of infected Emotet hosts were based in Latin America, corroborating community observations of a surge in late-2018 Emotet activity targeting South American entities. Infected hosts include organisations in the automotive, finance, energy, construction, retail and entertainment, logistics and technology sectors.

The report, titled "Assessing Corporate Risk by Analysing Remote Access Trojan Infections", also looked at malware such as xTreme RAT, and ZeroAccess, and profiles Remote Access Trojans (RAT) communications from third-party organisations to the controllers.

It found that infected xTreme RAT hosts were identified within: a video game company and a utilities company in Europe; Middle Eastern, South Asian, and East Asian telecommunications companies; and an industrial conglomerate and IT company in East Asia.

Researchers said that Emotet has evolved from a banking trojan targeting European banking customers to a modularised malware deployment platform with several high-profile campaigns noted in 2018.

Researchers at the IT security company identified a variety of RAT and Emotet controllers derived from threat lists in the Recorded Future platform and used network metadata to identify victim communications with the RAT C2 IPs. They then analysed network communications for a subset of these controllers from victim organisations. Filtering was conducted to avoid identifying organisations that provide internet hosting services to other organisations as being directly victimised, and internet scanners were omitted where identifiable.

"Emotet has recently been acting as a spam-sending malware that infects target systems to then load other malware families onto the host. The infected hosts that distribute spam and occasionally act as proxies for the C2 servers are a decentralised network, making it difficult for defenders to block at their perimeter," said researchers.

"Reporting has revealed that the operators of Emotet are likely maintaining at least two Emotet infrastructure setups in parallel, likely to aid redundancy and to make it harder for coordinated takedown by law enforcement."

Researchers said that the developers behind Emotet continue to innovate and develop modularised functionality to aid propagation efficacy and evade traditional network defences, "resulting in widespread infection which according to a US-CERT alert issued in July 2018 have cost state, local, tribal, and territorial (SLTT) governments up to US$1 million (£750,000) per incident to remediate".

Jose Miguel Esparza, head of Threat Intelligence at Blueliv. Told SC Media UK that RAT attacks, much the same as ransomware or banking trojans, are not new, so typical good practice will help mitigate the risks posed by this kind of threat. "As mentioned, it is important to try to prevent the execution of malware and exploits, but also detect an ongoing infection and even leaked credentials or information after those have been stolen already. Actions must be taken at all levels to fight against attack of this nature," he said.

Roy Rashti, cyber-security expert at Bitdam, told SC Media UK that most RATs are installed through malspam campaigns. "In order to prevent infections, organisations must apply proper security solutions on their email delivery chain. Having said that, security solutions such as firewalls can also block communication between RATs and their C2 servers," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike