Emotet Gang Changes Tactics Ahead of the Winter Holidays (Dec 19, 2019)
Cofense Labs researchers have noted a change in Emotet tactics in the run up to Christmas. Researchers have noticed that the Emotet Command and Control (C2) communication from the client no longer uses random paths based on a word list. It uses a string of at least four characters that appears random but is actually the key pair in the posted form data. The researchers think that this might be “more on the cosmetic side” because it does not affect the check-in data. Emotet gang is also delivering emails with malicious attachments since September rather than emails with malicious links.
Recommendation: Malicious developers are always trying to find new ways to evade detection and thwart researchers efforts in trying to understand how malware is operating. Changing the style of C2 communication, delivery methods or designing new anti-analysis tactics (for example). Threat intelligence professionals must keep abreast of evolving threats in order to inform businesses and help defences be intelligence led. Organisations can do much to help defend their enterprise networks and customers by integrating intelligence feeds into their defence apparatus, as well as hiring threat intelligence professionals that are adept at reporting on the changing threat environment.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.