Someone is disrupting Emotet botnet operations and replacing malware payloads with meme’s and GIFs
Someone is disrupting the operations of the recently-revived Emotet botnet by replacing Emotet payloads with animated GIFs, effectively preventing victims from getting infected. This Emotehack operation has been happening for the past few days, providing some respite from Emotet spamming while the threat actor figures out how to regain control over their distribution sites.
Emotet is a malware strain and a cybercrime operation. The malware, also known as Geodo and Mealybug, was first detected in 2014 and remains active, deemed one of the most prevalent threats of 2019. First versions of the Emotet malware functioned as a banking trojan aimed at stealing banking credentials from infected hosts.
Throughout 2016 and 2017, Emotet operators updated the trojan and reconfigured it to work primarily as a “loader,” a type of malware that gains access to a system, and then allows its operators to download additional payloads.
Second-stage payloads can be any type of executable code, from Emotet’s own modules to malware developed by other cybercrime gangs. Initial infection of target systems often proceeds through a macro virus in an email attachment. The infected email is a legitimate-appearing reply to an earlier message that was sent by the victim.
It has been widely documented that the Emotet authors have used the malware to create a botnet of infected computers to which they sell access in an Infrastructure-as-a-Service (IaaS) model, referred to in the cybersecurity community as MaaS (Malware-as-a-Service), Cybercrime-as-a-Service (CaaS), or Crimeware. Emotet is known for renting access to infected computers to ransomware operations, such as the Ryuk gang.
Without a payload, the victim’s computer does not fall in Emotet’s grip. So whoever is replacing the malware in the botnet’s distribution network is doing a huge favor to users and also keeping the threat actor busy. The malicious documents and the malware from the botnet’s distribution sites were replaced with various images and memes.
Interesting – yesterday I saw this one from hxxp://kharkhorin[.]cd[.]gov[.]mn/cgi-bin/public/edduq0xdu1d (not getting anything from there now) pic.twitter.com/DWrSAxTtuB
— ExecuteMalware (@executemalware) July 22, 2020
“There is an ongoing battle for the control of the Emotet shells that drop maldocs/malware on T1 Distro sites. Someone is altering them to serve up Imgur gifs instead of malware,“ Roosen
But the Emotet gang isn’t using the best web shells available on the market. As it was pointed out last year, the Emotet gang uses open-source scripts and also employs the same password for all of its web shells, exposing its infrastructure too easy hijacks if anyone can guess the web shell’s password.
The current defacements started slow, but currently, around a quarter of all daily Emotet payload links are being replaced with GIFs, causing serious operational losses to the Emotet gang. The security researcher estimates that Emotet is now working at around a quarter of its normal capabilities, as Ivan and the rest of the Emotet crew are still wrestling for control over their web shells.
For more news on tech and cybersecurity stay tuned on Android Rookies by subscribing to our newsletter from here.