Cofence: Emotet, one of the most dangerous malware, is evolving with new C2 Communication followed by New Infection Chain
The cyber security experts: Since March 14th the banking trojan has changed behaviour
Emotet operators consistently find ways to evolve how the botnet behaves, always attempting to stay ahead of the cat-and-mouse game they play with network defenders
Furthermore, the malware historically passed data to its C2 using the Cookie field of the HTTP header. Information about the system, as well as identifiers, would be encrypted, wrapped in Base64 and added to the HTTP header before transport. This was a consistent and easily identifiable pattern of behavior, which led to near universal enterprise detection. The latest iteration of Emotet-Geodo, however, has transitioned away from this legacy method to submitting data to its C2 via HTTP POST as a form. With routine changes in behavior and delivery methods, banking trojan’s operators consistently find ways to evolve how the botnet behaves, always attempting to stay ahead of the cat-and-mouse game they play with network defenders. The change in how form data is passed will almost certainly allow Geodo to overcome certain detection technologies, requiring immediate retooling.