Security Experts:

Hacker Replaced Emotet Payloads With GIF Images

Over the past several days, a hacker managed to replace the payloads typically delivered by the Emotet Trojan with GIF images.

Emotet, which resumed activity earlier this month following a five-month break, is hijacking legitimate email conversations to deliver spear-phishing emails to intended victims.

The most recent Emotet campaign would feature hundreds of thousands of spear-phishing emails daily, targeting industry verticals in the United States and the United Kingdom.

Within days after the campaign kicked off, however, security researchers noticed that a hacker managed to hijack Emotet’s delivery process and replace the payloads with GIF images.

This, security researcher Kevin Beaumont explains, is possible because the payload delivery method employed by Emotet is not secure, something that has been known for a while.

Specifically, Emotet’s operators use webshells and various techniques such as Word documents and payload executables, and a largely hacked infrastructure for distribution, with the passwords and techniques widely known, the researcher reveals.

“The Emotet payload distribution method is super insecure, they deploy an open source webshell off Github into the Wordpress sites they hack, all with the same password, so anybody can change the payloads infected PCs are receiving,” Beaumont said in December last year.

The hijacking was first observed on July 21, when the hacker was replacing only some of the Emotet payloads. Within several days, however, over a quarter of the payloads were being replaced.

“This is still happening today, about a quarter of payloads I check have been replaced with GIFs within the hour of Emotet pushing them,” Beaumont noted in a tweet. The next day, the payloads were being replaced within 20 minutes, suggesting an automated attack.

Cryptolaemus, a group of researchers tracking Emotet’s whereabouts, also noticed the hijacking, revealing that Emotet’s operators appeared to have a hard time keeping the intruder out.

The researchers also pointed out that the intrusion resulted in Emotet’s operators reducing the distribution volume as means to prevent the delivery of GIF images.

“I suspect the lack of updates this morning was related to the Emotet team attempting to stop their payloads from becoming ‘Hackerman’ [one of the images delivered]. To our surprise, we confirmed with @executemalware reports that even after distro started back up around 1900 UTC with 3 new docs on all epochs, he still saw some sites that were showing up with Hackerman,” Cryptolaemus noted.

Cryptolaemus later said the cybercriminals regained control and resumed sending out spam.

Emotet’s effectiveness took a hit during the time it was hijacked, but Beaumont pointed out that someone could have replaced the payloads with stealthier malware instead of harmless GIFs.

Related: Emotet Resumes Activity After Five Months of Silence

Related: Emotet Returns, Spreads via Hijacked Email Conversations

Related: Constant Vigilance Requires Looking Back as Well as Forward

view counter