Someone is poking fun at the Emotet botnet and heavily disrupting its operations by hacking into the malware's distribution sites and replacing malicious payloads with memes and GIFs.
This Emotehack operation has been happening for the past few days, providing some respite from Emotet spamming while the threat actor figures out how to regain control over their distribution sites.
LoLs for payloads
Emotet’s distribution relies on hacked websites where the actors store payloads to be used in their spam campaigns.
When victims of these campaigns fall for the ruse and open malicious spam attachments, executed macros will retrieve the Emotet malware payload from compromised sites in the botnet’s network.
Without a payload, the victim’s computer does not fall in Emotet’s grip. So whoever is replacing the malware in the botnet’s distribution network is doing a huge favor to users and also keeping the threat actor busy.
Joseph Roosen, a member of the Cryptolaemus group of researchers fighting Emotet, called the person messing with Emotet’s payloads a “white knight.”
The malicious documents and the malware from the botnet’s distribution sites were replaced with various images and memes.
Researchers saw images of James Franco at first and then Emotet’s hacked sites served the Hackerman meme.
|
|
|
“There is an ongoing battle for the control of the Emotet shells that drop maldocs/malware on T1 Distro sites. Someone is altering them to serve up Imgur gifs instead of malware,“ Roosen tweeted
The researcher told BleepingComputer that Emotet put spamming activity on standby because of the good samaritan’s actions, and will likely implement some changes to protect their operations.
When sending spam, Emotet will use a variety of different email templates and malicious document delivery.
Some emails will attach a malicious Word document directly to an email, while others include a link that a user must click on to download the document.
For those emails containing links, when a recipient clicks on it, instead of a malicious document being installed, they will see a meme or silly image instead.
This is illustrated in the video below.
Microsoft cybersecurity researcher Kevin Beaumont noticed these chucklesome modifications, saying that about a quarter of the payloads he checked had been replaced with GIFs.
The switch happened quite quickly, the payloads being replaced in less than an hour since Emotet planted them, the researcher said. After publishing this article, the researcher said that he noticed the vigilante moving even quicker in some cases, replacing the malware in under two minutes.
How does Emotehack happen
In short, bad opsec. Emotet operators use web shells to maintain access to the hacked websites in their distribution network. The most plausible explanation is that someone discovered the password and decided to use this advantage to disrupt Emotet operations.
Beaumont tweeted in late December 2019 that the actor relied on an open-source web shell and recycled the access password. One reason for this lack of effort could be that it works, thus unnecessary to be bothered with changing the password.
This rationale seems to hold these days, too. Roosen told us that Cryptolaemus researchers believe that someone has the password for the Emotet shell on the distribution sites and decided to programmatically replace the payloads.
However, Roosen points out that Emotet likely has other methods to drop the shells and could regain access to the vulnerable sites it uses for spreading malware.
If they control these machines, they could drop other web shells with a different password to regain control of their distribution network.
Emotet may buy access to servers from other threat actors that run traffic redirection scams. These lure users with advertisements and fake promotions to expose them to various scams and surveys.
At the time of writing, some of the sites where memes and images took the place of Emotet payloads are redirecting to surveys. One of the ruses we saw informed us that we had the chance to win a Samsung Galaxy S10 if we did a survey.
Comments
woody188 - 1 year ago
Curious if we'll ever know who is behind Emotehack. It's good and bad. Good they are interfering, bad they aren't dismantling the infrastructure and returning the control of the compromised systems to their owners. Since they seem to have write access to the web folders, they could upload their own webshell to lock out Emotet.
It would be really valuable to law enforcement to just sit on them and gather intel too. A lot of lost opportunity here to discover and dismantle Emotet going to waste.