We have been tracking the Emotet botnet for quite some time now and noticed that they began standing up their C2 (command and control) infrastructure again on Aug 21. Our systems caught the first servers coming alive for Epoch 2 of the botnets clients around 3pm EST. The first servers to come alive immediately began deploying modules to the clients. It wasn’t until around 4pm EST on Aug 22 that the actors began to spin up the infrastructure to handle Epoch 1. It too followed suit and began deploying modules. Since that time, we have seen it continue to push modules to gather the latest data from remaining bots.
By leveraging what was left of their botnet, the Emotet gang should be able to achieve the following goals:
- Ability to gather a large set of updated user credentials to begin their spamming operations again.
- Able to gather new contacts to leverage as recipients for any new campaigns.
- Potentially boost their infrastructure via the deployment of the UPnP module.
If they are successful with the above items, their database of real emails will grow and likely be leveraged to continue their reply chain emails that mimic spearphishing on a scale that has not been seen before.
We are closely monitoring the network for any changes and will provide updates as we can with any new or additional findings.
List of active C2 Servers seen since re-enablement:
104.131.11.150:8080
104.131.208.175:8080
104.131.58.132:8080
104.236.151.95:7080
109.104.79.48:8080
125.99.106.226:80
128.199.78.227:8080
142.93.88.16:443
162.144.119.216:8080
162.243.125.212:8080
170.150.11.245:8080
175.100.138.82:22
177.246.193.139:20
189.209.217.49:80
190.117.206.153:443
192.168.1.180:80
195.242.117.231:8080
198.50.170.27:8080
201.212.24.6:443
205.186.154.130:80
213.120.104.180:50000
222.214.218.136:4143
43.229.62.186:8080
45.123.3.54:443
45.32.158.232:7080
46.101.142.115:8080
46.105.131.69:443
64.13.225.150:8080
66.228.32.31:443
69.163.33.82:8080
70.32.84.74:8080
72.47.248.48:8080
75.127.14.170:8080
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.
