Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Threat actors are hijacking the infamous Emotet botnet

A sort of vigilante is attempting to disrupt the operations of the Emotet botnet by hacking the supply chain of the malware. Someone is attempting to sabotage the operations of the Emotet botnet by replacing the Emotet payloads with animated GIFs, in this way the victims will not be infected with the bot. The mysterious activity […]

Emotet Hackerman

A sort of vigilante is attempting to disrupt the operations of the Emotet botnet by hacking the supply chain of the malware.

Someone is attempting to sabotage the operations of the Emotet botnet by replacing the Emotet payloads with animated GIFs, in this way the victims will not be infected with the bot.

The mysterious activity was observed in the past few days, the hackers targeted the Emotet’s distribution channel composed of compromised websites used to host the malicious payloads distributed by Emotet operators.

Once the victims of these campaigns will open a weaponized attachment and the embedded macros are executed, instead of retrieving the Emotet malware payload from compromised sites, it will retrieve the GIFs images and memes.

Experts noticed that the alleged vigilante used images of James Franco and Hackerman meme replacing the original Emotet payload.

“There is an ongoing battle for the control of the Emotet shells that drop maldocs/malware on T1 Distro sites. Someone is altering them to serve up Imgur gifs instead of malware,“ tweeted Joseph Roosen, a member of the Cryptolaemus group of researchers fighting Emotet.

The Emotet operators leverage web shells to manage compromised servers, experts noticed that the ones used by the crooks are open-source scripts using all the same password.

This circumstance could allow threat actors that guess the password to take over the infrastructure used by the Emotet operators.

https://twitter.com/GossiTheDog/status/1210520720222097408

The popular cybersecurity researcher Kevin Beaumont observed that about a quarter of the payloads he checked had been replaced with GIF images.

The replacement of the Emotet malware payload was quick, is some cases the GIFs have been uploaded in less than an hour since Emotet planted them.

https://twitter.com/GossiTheDog/status/1286271503005290497

“From tracking, the replacements generally happen within a few minutes of Emotet updating their botnet. Around a quarter of all malware is getting replaced.” wrote Beaumont in a post. “This suggests a few possibilities:

  • Emotet themselves are doing this.
  • Other threat actors are doing this to sabotage Emotet.
  • Security researchers are doing it.

According to Roosen, the Emotet gang is aware of the attack against its infrastructure and on Thursday it has shut down the botnet likely to look out the attacker from its web shells.

“Since Ivan [the admin of Emotet] was having technical difficulties today, the hashes are way down and we barely saw much of anything,” Roosen wrote.

Roosen pointed out that Emotet likely implements alternative methods to drop the web shells, this means that its operators could regain access to the compromised sites used for the malware distribution.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Emotet botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]