Trend Micro discovered a new variant of the Emotet Trojan that is able to infect devices and use them as proxy command-and-control servers. “It is also attempting to use compromised connected devices as proxy command and control (C&C) servers that redirect to the real Emotet C&Cs. These changes may seem trivial at first, but the added complexity in command and control traffic is an attempt by Emotet authors to evade detection. “ The experts also noticed that threat actors behind the latest Emotet campaign are actively attempting to compromise IoT devices, including routers, IP cameras, webcams, and recruit them in a first layer of the C2 infrastructure. Since March 15, experts monitored Emotet samples using new POST-infection traffic and discovered they were also using randomly generated URI directory paths in its POST requests to evade network-based detection The new Emotet version sends the stolen info within the HTTP POST message body, instead of using the Cookie header. “The change in POST-infection traffic and the use of these connected devices show that Emotet is still a constantly evolving and resilient threat.” concludes Trend Micro.