Cofence: Emotet, one of the most dangerous malware, is evolving with new C2 Communication followed by New Infection Chain

Emotet botnet is changing the way it communicates, in a likely attempt to evade malware detection. It has been discovered by Cofense cyber security experts. According to the company’s blog, the malware isn’t relying on cookies to make certain requests, instead performing HTTP POSTs to what seems to be the C2. Baking requests into cookies is a time-honored and easily detected pattern of  behavior. Switching this up makes it harder to see when the malware is calling home. Moreover, Geodo-Emotet is now using a new infection chain, utilizing JavaScript files as droppers instead of macro-packed Office documents. These changes in behavior and delivery methods are the cybercrime’ latest attempts to keep ahead of network defenders. So, identifying a highly dynamic banking trojan family, such as Geodo, requires highly agile security infrastructure coupled with responsive threat intelligence.

The cyber security experts: Since March 14th the banking trojan has changed behaviour

According to Cofense cyber security researchers, in past version of Emotet-Geodo, a compromised client would typically perform a GET request with data contained in the cookie value. As of approximately on March 14th, this changed. The clients have begun to perform HTTP POST’s to what appear to be their C2’s. The primary driver behind this transition appears to be an attempt to bypass established detection methods. In tandem with this update, the malware has begun experimenting with delivering its binaries with JavaScript files acting as droppers, and not via Office documents laden with macros as has been most common.

Emotet operators consistently find ways to evolve how the botnet behaves, always attempting to stay ahead of the cat-and-mouse game they play with network defenders

Furthermore, the malware historically passed data to its C2 using the Cookie field of the HTTP header. Information about the system, as well as identifiers, would be encrypted, wrapped in Base64 and added to the HTTP header before transport. This was a consistent and easily identifiable pattern of behavior, which led to near universal enterprise detection. The latest iteration of Emotet-Geodo, however, has transitioned away from this legacy method to submitting data to its C2 via HTTP POST as a form. With routine changes in behavior and delivery methods, banking trojan’s operators consistently find ways to evolve how the botnet behaves, always attempting to stay ahead of the cat-and-mouse game they play with network defenders. The change in how form data is passed will almost certainly allow Geodo to overcome certain detection technologies, requiring immediate retooling.