Level 33
A new Emotet Trojan variant has been observed in the wild with the added capabilities of using compromised connected devices as proxy command-and-control servers and of employing random URI directory paths to evade network-based detection rules.

The new Emotet version was detected by Trend Micro's research team while analyzing the malware's network traffic and discovering that it comes with "different POST-infection traffic" and that is also trying to conceal its real C2 servers using previously compromised devices as proxies.

Connected devices as an extra C2 communication layer

The researchers also found that Emotet's operators are actively attempting to compromise devices such as IP cameras, routers, webcams, and web interfaces/administration panels to add them to their camouflage infrastructure as part of their botnet's new extra server communication layer.

"These discoveries also show that the malware is being used to compromise and collect vulnerable connected devices, which could become resources for other malicious purposes," states Trend Micro.

Emotet's masters need to conceal the real C2 servers used in their campaigns because their IP addresses are hardcoded in the malware which makes it very easy to analyze the botnet's infrastructure.