According to new data by TrendMicro, attackers utilising the Emotet banking Trojan predominantly used internet providers located in the U.S.A. to host their Command & Control infrastructure.
In a recent blog post, TrendMicro states that the United States of America, with a 45% share, hosts more Emotet C2 infrastructure through Comcast, followed by Mexico and Canada. The top 3 ASN numbers being used to host the C2 servers are 7922 (Comcast Cable), 8151 (Telmex), and 22773 (Cox Communications). This infrastructure was determined by actively tracking Emotet and with nearly 15 thousand artifacts ranging between June and September 2018.
Emotet uses RSA certificates for confidential communication and by analysing Emotet malware samples, it was noted that on average a single sample contains 39 different C2 addresses. Each C2 uses one of six RSA certificates and by tracking the samples and certificates used by the C2, TrendMicro were able to further split the six certificates in to two groups; with three certificates per group.
These two groups show they are two separate C2 infrastructures operating in parallel. TrendMicro states that this makes it “more difficult to track Emotet and minimize the possibility of failure“. Correlating known campaigns against the two infrastructure groups display a clear distinction between the two and indicates a differing agenda which may even be controlled by different operators.
The research further discusses the review of compilation timestamps to make a hypothesis that the author may operate in UTC +10, which places them in east Russia or east Australia. However, TrendMicro admits this to be mere speculation, as at least three separate machines are used to package and operate varied timezones. Threat actors have also been known to change their locality and timezones to confuse reverse engineers.
While much of the world is impacted by Emotet, Europe and the United States have been impacted the greatest. It is ironic how infrastructure used by Emotet is located in the same regions as the victims, but further indicate these regions to be well connected and contain cheap hosting as well as easily compromised nodes.