Last week, I wrote a diary about Emotet using 0.0.0.0 in its spambot traffic instead of the actual IP address of the infected Windows host (link).
Shortly after that diary, Emotet changed from using 0.0.0.0 to using the victim’s IP address, but with the octet values listed in reverse order.
During a recent Emotet infection on Tuesday 2022-01-24, my infected Windows host was using 22.214.171.124 as its source IP. Note that my source IP has been edited for this diary to sanitize/disguise the actual IP address. See the image below for DNS traffic representing a possible spam blocklist check by my infected Windows host. In other malware families like Trickbot, the octet order is reversed. But order is not reversed for this Emotet infection.
As seen in the above image, the following DNS queries were made:
Again, I normally see the octet order reversed with other malware like Trickbot. This reversed order also appeared during SMTP traffic with the command ELHO [126.96.36.199] as shown below.
Twitter discussion for last week’s diary indicates Emotet developers may have broken something in the spambot module to produce the previous 0.0.0.0 traffic. I’m not sure if this new traffic–the reversed order of the victim’s IP address–is intentional or not.
You can find up-to-date indicators for Emotet malware samples, URLs, and C2 IP addresses at:
brad [at] malware-traffic-analysis.net
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.