Over the past several days, a hacker managed to replace the payloads typically delivered by the Emotet Trojan with GIF images.
Emotet, which resumed activity earlier this month following a five-month break, is hijacking legitimate email conversations to deliver spear-phishing emails to intended victims.
The most recent Emotet campaign would feature hundreds of thousands of spear-phishing emails daily, targeting industry verticals in the United States and the United Kingdom.
Within days after the campaign kicked off, however, security researchers noticed that a hacker managed to hijack Emotet’s delivery process and replace the payloads with GIF images.
This, security researcher Kevin Beaumont explains, is possible because the payload delivery method employed by Emotet is not secure, something that has been known for a while.
Specifically, Emotet’s operators use webshells and various techniques such as Word documents and payload executables, and a largely hacked infrastructure for distribution, with the passwords and techniques widely known, the researcher reveals.
“The Emotet payload distribution method is super insecure, they deploy an open source webshell off Github into the Wordpress sites they hack, all with the same password, so anybody can change the payloads infected PCs are receiving,” Beaumont said in December last year.
The hijacking was first observed on July 21, when the hacker was replacing only some of the Emotet payloads. Within several days, however, over a quarter of the payloads were being replaced.
“This is still happening today, about a quarter of payloads I check have been replaced with GIFs within the hour of Emotet pus ..
Support the originator by clicking the read the rest link below.
