{
	"id": "deb8899a-6911-4e16-bfb1-a5ce0bc3f0d3",
	"created_at": "2026-04-10T03:21:47.266535Z",
	"updated_at": "2026-04-10T03:22:19.031081Z",
	"deleted_at": null,
	"sha1_hash": "2f496421d03118e3aa04fc0c075fab7440f2f1e5",
	"title": "Emotet Adds New Evasion Technique",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 75698,
	"plain_text": "Emotet Adds New Evasion Technique\r\nBy Marco Dela Vega, Jeanne Jocson, Mark Manahan ( words)\r\nPublished: 2019-04-25 · Archived: 2026-04-10 03:09:14 UTC\r\nUPDATE as of May 2, 2019 5AM PDT: A previous version of this blog post speculated that connected\r\ndevices were used as part of Emotet’s command-and-control networks. This was based on speculation\r\nderived from Shodan results; that particular section has been removed from the post. We apologize for any\r\nconfusion our earlier speculation may have caused.\r\nOver the years, Emotet, the banking malware discovered by Trend Micro in 2014open on a new tab, has continued\r\nto be a prevalent and costly threat. The United States government estimates that an Emotet incident takes an\r\norganization US $1 million to remediate.open on a new tab Unfortunately, it is a widespread and particularly\r\nresilient malware. Its authors have continuously updated it with new capabilitiesopen on a new tab, new\r\ndistribution techniquesopen on a new tab, and more.\r\nRecently, an analysis of Emotet traffic has revealed that new samples use a different POST-infection traffic than\r\nprevious versions. It seems Emotet actors are looking for new ways to evade detection.\r\nArrival via spam\r\nEmotet typically arrives on a victim’s system via spam mailopen on a new tab. In the beginning of April, samples\r\nof Emotet show that the malware still spreads via spam, but with the help of the trojan downloader Powload. The\r\nspam messages trick users into downloading malicious files by claiming that an invoice is attached in the email.\r\nThe attachment is a ZIP file that can be opened with the 4-digit password included in the body of the email. A look\r\ninto the ZIP file shows that it contains variants of Powload (detected as Trojan.W97M.POWLOAD). If the user\r\nenters the password, the file uses Powershell to download an executable file, which is Emotet's payload.\r\nintel\r\nFigure 1. Example of an Emotet spam mail; samples show mail written in many different languages\r\nChanges in POST-infection traffic\r\nThe wave of Emotet samples using new POST-infection traffic has been monitored since March 15, 2019.\r\nResearchers from Malware-Traffic-Analysis.netopen on a new tab and Cofenseopen on a new tab also noted\r\nchanges in Emotet’s network traffic around this time. As mentioned previously, Emotet has undergone many\r\nchanges since it was first discovered; but this is the first time we have seen this particular POST-infection traffic\r\ntechnique.\r\nintel\r\nFigure 2. New Emotet post-infection HTTP Post request traffic\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/\r\nPage 1 of 3\n\nPrevious connections from Emotet did not use a URI path, but the newer samples show randomized words used as\r\na URI directory path (see Figure 2) and a random number of directory paths. These random words in the URI path\r\nhelp the malware evade network-based detection. An empty URI path is a red flag, so this technique helps the\r\ntraffic appear more legitimate to security solutions.\r\nBelow is a list of random words used in the URI path, found in the new sample. We can also see these same words\r\nin the Emotet executable file.\r\nintel\r\nFigure 3. Decrypted dump with list of words to be used in the URI\r\nApart from the URI path, the data in the HTTP POST message body has also changed. Previous Emotet samples\r\ntypically used an HTTP GET request to send victim information to the C\u0026C server, and the data is stored in the\r\nCookie header. The data was encrypted using an RSA key, AES, and then encoded in Base64 before being added\r\nto the Cookie value (see Figure 4 HTTP request traffic with Cookie header).\r\nNewer traffic shows something different. Actors stayed away from using the Cookie header and changed the\r\nHTTP request method to POST. The data is still encrypted with an RSA key and AES, and encoded in Base 64.\r\nHowever, instead of being stored in the Cookie value, it was put in the body of the HTTP POST message. This\r\nchange adds another layer of complexity to help the malware evade detection or delay further investigation if it is\r\ndetected.\r\nintel\r\nFigure 4. Comparison between the new Emotet C\u0026C traffic and the previous Emotet C\u0026C traffic\r\nHow can organizations defend themselves?\r\nThe change in POST-infection traffic shows that Emotet is still a constantly evolving and resilient threat. The\r\nmalware authors are fine-tuning evasion techniques and trying to adapt to security solutions. If left unchecked and\r\nundetected, this threat may lead to a substantial loss of money and data for businesses.\r\nCombating threats like Emotet calls for a multilayered and proactive approach to security, protecting all fronts —\r\nendpointsopen on a new tab, networksopen on a new tab, and serversopen on a new tab. Trend Micro endpoint\r\nsolutions such as Trend Micro™ Smart Protection Suitesopen on a new tab and Worry-Free™ Business\r\nSecurityopen on a new tab can protect users and businesses from these threats by detecting malicious files and\r\nspammed messages, as well as blocking all related malicious URLs. Enterprises can also monitor all ports and\r\nnetwork protocols for advanced threats and be protected from targeted attacks with the Trend Micro™ Deep\r\nDiscovery™ Inspectoropen on a new tab network appliance.\r\nDeep Discovery Inspector protects customers from these threats via this DDI Rule:\r\nDDI Rule 2897: EMOTET - HTTP (Request) - Variant 4\r\nTrend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range\r\nof threats for data centers, cloud environments, networksopen on a new tab, and endpointsopen on a new tab.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/\r\nPage 2 of 3\n\nSmart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud\r\nSecurityproducts, User Protectionproducts, and Network Defenseproducts.\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/"
	],
	"report_names": [
		"emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers"
	],
	"threat_actors": [],
	"ts_created_at": 1775791307,
	"ts_updated_at": 1775791339,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f496421d03118e3aa04fc0c075fab7440f2f1e5.pdf",
		"text": "https://archive.orkl.eu/2f496421d03118e3aa04fc0c075fab7440f2f1e5.txt",
		"img": "https://archive.orkl.eu/2f496421d03118e3aa04fc0c075fab7440f2f1e5.jpg"
	}
}