# SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center SANS Site Network Current Site SANS Internet Storm Center Other SANS Sites Help Graduate Degree Programs Security Training Security Certification Security Awareness Training Penetration Testing Industrial Control Systems Cyber Defense Foundations DFIR Software Security Government OnSite Training InfoSec Handlers Diary Blog **isc.sans.edu/diary/rss/28254** ## 0.0.0.0 in Emotet Spambot Traffic **Published: 2022-01-19** **Last Updated: 2022-01-19 03:39:21 UTC** **by** [Brad Duncan (Version: 1)](https://isc.sans.edu/handler_list.html#brad-duncan) [0 comment(s)](https://isc.sans.edu/forums/diary/0000+in+Emotet+Spambot+Traffic/28254/#comments) **_Introduction_** Emotet often uses information from emails and address books stolen from infected Windows hosts. Malicious spam (malspam) from Emotet spoofs legitimate senders to trick potential victims into running malicious files. Additionally, Emotet uses IP address 0.0.0.0 in spambot traffic, possibly attempting to hide the actual IP address of an Emotet-infected host. This ISC diary reviews the spoofed 0.0.0.0 address used in a recent Emotet infection from Tuesday 2022-01-18. ----- _Shown above: 0.0.0.0 in DNS queries from an Emotet-infected host._ **_Scenes from an infection_** Both Emotet botnets (dubbed by researchers as "epoch 4" and "epoch 5") resumed activity after the recent holiday season, and malicious spam started approximately one week ago on [Tuesday 2022-01-11.](https://www.malware-traffic-analysis.net/2022/01/11/index.html) Most Windows hosts I've infected with Emotet in my lab will start spamming within an hour or less after the initial infection. Refer to the images below for activity from a recent Emotet infection on 2022-01-18. _Shown above: Screenshot from malspam pushing Emotet on Tuesday 2022-01-18._ ----- _Shown above: Web page from link in the malspam._ _Shown above: Example of downloaded Excel spreadsheet for Emotet._ Enable macros in a downloaded spreadsheet, and they will infect a vulnerable Windows host. This is standard operating procedure for Emotet. ----- _Shown above: Traffic from an infection filtered in Wireshark._ _Shown above: Spambot activity started approximately 27 minutes after the initial infection._ **_Emotet spambot traffic using 0.0.0.0_** Right as the spambot activity starts, the following DNS queries are made using domains related to spam filtering: **_0.0.0.0.spam.abuse.ch_** **_0.0.0.0.b.barracudacentral.org_** **_0.0.0.0.bl.mailspike.net_** **_0.0.0.0.spam.dnsbl.sorbs.net_** **_0.0.0.0.zen.spamhaus.org_** ----- Similar DNS queries, but without the 0.0.0.0, are generated during Trickbot infections. However, Trickbot uses the infected host's public IP address data in the DNS query. Here is an example from analysis of a Trickbot sample (scroll down to the "Domains" list). _Shown above: 0.0.0.0-related DNS queries from an Emotet-infected host._ In addition to DNS queries, Emotet uses 0.0.0.0 during SMTP communications. This happens whenever an Emotet-infected host tries sending malspam to a targeted mailserver. The SMTP command is EHLO [0.0.0.0]. ----- _Shown above: SMTP traffic using EHLO [0.0.0.0]._ This attempt does not hide the actual IP address of an Emotet-infected host, because it still appears elsewhere in the SMTP traffic (blurred in the above image, for example). But 0.0.0.0 can be an indicator of emails pushing Emotet or other malware. ----- _Shown above: Example of Emotet malspam with 0.0.0.0 in the email headers._ **_Final words_** While 0.0.0.0 is an indicator for Emotet or other malware, you can find up-to-date indicators for Emotet malware samples, URLs, and C2 IP addresses at: [https://urlhaus.abuse.ch/browse/tag/emotet/](https://feodotracker.abuse.ch/browse/emotet/) [https://feodotracker.abuse.ch/browse/emotet/](https://feodotracker.abuse.ch/browse/emotet/) [https://bazaar.abuse.ch/browse/tag/Emotet/](https://bazaar.abuse.ch/browse/tag/Emotet/) [https://threatfox.abuse.ch/browse/malware/win.emotet/](https://threatfox.abuse.ch/browse/malware/win.emotet/) -- Brad Duncan brad [at] malware-traffic-analysis.net [Keywords: Emotet](https://isc.sans.edu/tag.html?tag=Emotet) [0 comment(s)](https://isc.sans.edu/forums/diary/0000+in+Emotet+Spambot+Traffic/28254/) Join us at SANS! Attend [with Brad Duncan in starting](https://isc.sans.edu/diary/rss/28254) Top of page ----- × [Diary Archives](https://isc.sans.edu/diaryarchive.html) -----