|
Thanks to Dancho Danchev, WhoisXML API’s DNS Threat Researcher for the original investigation available here which led to the creation of this post.
Emotet traces its origin as far back as 2014, when its simplest form as a banking Trojan first made the headlines. Over the years, its creators have constantly improved the malware, a popular malware-as-a-service (MaaS) offering in cybercriminal underground fora.
On 25 April 2021, law enforcement agents seized the botnet’s infrastructure and scheduled a mass uninstallation for all infected computers. But is the malware truly dead? This analytical post seeks to find out.
For this short analysis of current Emotet botnet activity, we used 228 identified IP addresses as a starting point. Through reverse IP/DNS lookups, we found that these IP addresses resolved to 3,981 domains and 4,109 subdomains. Some or even all of these could be part of the Emotet botnet infrastructure.
To determine if any of the 3,981 domains obtained from reverse DNS searches remain active even after the takedown and purging of infections, we subjected them to screenshot lookups and found that:
All in all, we can say that it’s possible that not all of the IP addresses and domains that are part of the Emotet botnet infrastructure have been shut down. Some of the web pages may still be up and running, putting users who visit them at risk of malware infection or, worse, identity and financial theft.
Note the use of legitimate domains as well for many of the subdomains. Examples of potentially abused domains include:
This strategy could be an evasion tactic that gets their phishing or malicious communications through to protected networks.
Several of the IP addresses resolved to the same domains, which could be indicative of their ties to the same network or, in this case, cybercriminal gang that runs the Emotet botnet.
A bulk IP geolocation lookup for the IP addresses revealed that:
If the IP geolocation data is taken as is, we can infer that the Emotet botnet operators are mostly U.S.-based although the presence of IP addresses in at least 13 other countries could indicate a global operation.
Authorities who are part of the takedown operation could seek the help of the Internet service providers (ISPs) who assigned the IP addresses, which include:
The ISPs identified above could help with takedowns if the sites that are part of the Emotet botnet are still up and running.
Domain and IP intelligence can help cybersecurity specialists dig deeper into the ties that bind IoCs pertaining to the large-scale operation of threats like Emotet.
If you wish to get the entire list of artifacts we uncovered from our short analysis of the Emotet botnet featured in this post, don’t hesitate to contact us. We’re always open to working with fellow researchers.
Sponsored byVerisign
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byRadix
Sponsored byWhoisXML API