Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Internet Security | DShield SANS.edu Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Emotet Stops Using 0.0.0.0 in Spambot Traffic

Published: 2022-01-25
Last Updated: 2022-01-25 03:36:04 UTC
by Brad Duncan (Version: 1)
0 comment(s)

Introduction

Last week, I wrote a diary about Emotet using 0.0.0.0 in its spambot traffic instead of the actual IP address of the infected Windows host (link).

Shortly after that diary, Emotet changed from using 0.0.0.0 to using the victim's IP address, but with the octet values listed in reverse order.

Details

During a recent Emotet infection on Tuesday 2022-01-24, my infected Windows host was using 173.66.46.112 as its source IP.  Note that my source IP has been edited for this diary to sanitize/disguise the actual IP address.  See the image below for DNS traffic representing a possible spam blocklist check by my infected Windows host.  In other malware families like Trickbot, the octet order is reversed.  But order is not reversed for this Emotet infection.


Shown above:  Possibly spam blocklist check by my Emotet-infected host on Tuesday 2022-01-24.

As seen in the above image, the following DNS queries were made:

  • 173.66.46.112spam.abuse.ch
  • 173.66.46.112.b.barracudacentral.org
  • 173.66.46.112.bl.mailspike.net
  • 173.66.46.112.spam.dnsbl.sorbs.net
  • 173.66.46.112.zen.spamhaus.org

Again, I normally see the octet order reversed with other malware like Trickbot.  This reversed order also appeared during SMTP traffic with the command ELHO [112.46.66.173] as shown below.


Shown above:  Victim IP address in Emotet spambot traffic on Tuesday 2022-01-24.

Twitter discussion for last week's diary indicates Emotet developers may have broken something in the spambot module to produce the previous 0.0.0.0 traffic.  I'm not sure if this new traffic--the reversed order of the victim's IP address--is intentional or not.

Final words

You can find up-to-date indicators for Emotet malware samples, URLs, and C2 IP addresses at:

---

Brad Duncan
brad [at] malware-traffic-analysis.net

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Mixed VBA & Excel4 Macro In a Targeted Excel Sheet
Jan 22nd 2022
3 days ago by Xme (0 comments)

Obscure Wininet.dll Feature?
Jan 21st 2022
4 days ago by Xme (0 comments)

RedLine Stealer Delivered Through FTP
Jan 20th 2022
5 days ago by Xme (0 comments)

0.0.0.0 in Emotet Spambot Traffic
Jan 19th 2022
6 days ago by Brad (0 comments)

Phishing e-mail with...an advertisement?
Jan 18th 2022
1 week ago by Jan (0 comments)

View All Diaries →

Latest Discussions

Dshield Sensor
created Jun 8th 2021
7 months ago by Rick (0 replies)

API port data
created Apr 25th 2021
9 months ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
9 months ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
10 months ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
11 months ago by astraea (0 replies)

View All Forums →

Latest News

Top Diaries

A Quick CVE-2022-21907 FAQ
Jan 14th 2022
1 week ago by Johannes (0 comments)

Obscure Wininet.dll Feature?
Jan 21st 2022
4 days ago by Xme (0 comments)

Use of Alternate Data Streams in Research Scans for index.jsp.
Jan 14th 2022
1 week ago by Johannes (0 comments)

Shadow IT Makes People More Vulnerable to Phishing
Nov 10th 2021
2 months ago by Xme (0 comments)

Mixed VBA & Excel4 Macro In a Targeted Excel Sheet
Jan 22nd 2022
3 days ago by Xme (0 comments)