-
Featured services
-
Services
View all services and productsLeverage our capabilities to accelerate your business transformation.
-
-
Services
Network Services
Popular Products
-
Private 5G
Our turnkey private 5G network enables custom-built solutions that are designed around unique use cases and strategies, and deployed, run and optimized through a full network-as-a-service model.
-
Managed Campus Networks
Our Managed Campus Networks services transform campus networks, corporate area networks and interconnected local area networks, and connect smart places and industries.
-
-
Services
Cloud and IT Infrastructure
Popular Products
-
Cloud Architecture and Modernization
Discover how to achieve your business goals through cloud modernization practices, that deliver improved agility, reusability and scalability.
-
Cloud Optimization
Discover how to maximize operational excellence, business continuity and financial sustainability through our cloud-advanced optimization services.
-
-
Services
Consulting
-
Client stories
-
Penske Entertainment and the NTT INDYCAR SERIES
Together with Penske Entertainment, we’re delivering digital innovations for their businesses – including INDYCAR, the sanctioning body of the NTT INDYCAR SERIES – and venues such as the iconic Indianapolis Motor Speedway, home to the Indianapolis 500.
-
Using private wireless networks to power IoT environments with Schneider Electric
Our combined capabilities enable a secure, end-to-end digital on-premises platform that supports different industries with the benefits of private 5G.
-
-
Services
Data and Artificial intelligence
-
Services
Technology Solutions
-
Services
Global Data Centers
-
Services
Digital Collaboration and CX
Popular Products
-
CX Managed Services
Bridge gaps in skills, knowledge and capabilities to deliver exceptional CX that meets the needs of your customers in a rapidly evolving and highly competitive environment.
-
Digital Events
From virtual events, webcasts and webinars to broadcasting and audio conferencing, our scalable solutions extend the impact of your digital events and can be tailored to your business needs.
-
-
-
-
Insights and resources
Recent Insights
-
The Future of Networking in 2025 and Beyond
-
Using the cloud to cut costs needs the right approach
When organizations focus on transformation, a move to the cloud can deliver cost savings – but they often need expert advice to help them along their journey
-
Make zero trust security work for your organization
Make zero trust security work for your organization across hybrid work environments.
-
-
Insights and resources
-
-
-
Discover how we accelerate your business transformation
-
About us
CLIENT STORIES
-
Liantis
Over time, Liantis – an established HR company in Belgium – had built up data islands and isolated solutions as part of their legacy system.
-
Randstad
We ensured that Randstad’s migration to Genesys Cloud CX had no impact on availability, ensuring an exceptional user experience for clients and talent.
-
-
-
CLIENT STORIES
-
Liantis
Over time, Liantis – an established HR company in Belgium – had built up data islands and isolated solutions as part of their legacy system.
-
Randstad
We ensured that Randstad’s migration to Genesys Cloud CX had no impact on availability, ensuring an exceptional user experience for clients and talent.
-
-
CLIENT STORIES
-
Liantis
Over time, Liantis – an established HR company in Belgium – had built up data islands and isolated solutions as part of their legacy system.
-
Randstad
We ensured that Randstad’s migration to Genesys Cloud CX had no impact on availability, ensuring an exceptional user experience for clients and talent.
-
-
- Careers
Behind the scenes of the Emotet Infrastructure
18 June 2020
Topics in this article
- ensure our long term detection capabilities for Emotet traffic in our customer environments
- explore the underlying Emotet infrastructure and track the setup and longevity of the Tier 2 servers
- collaborate with CERTs and notify ISPs of malicious activity
We own and operate one of the world's largest Tier-1 IP backbones, giving insight into a significant portion of the global internet traffic. We’re also consistently ranked among the top five network providers in the world. In the fall of 2018, our security division added botnet infrastructure detection capabilities to our Managed Security Services (MSS) Threat Detection services. This unique capability was used during this project in order to explore and monitor the Emotet network infrastructure.
Starting the journey
The assumptions of behavior of the Tier 1 C2s were reduced to the expectation that they forward their traffic towards a Tier 2 C2. We initially monitored Tier 1 C2 traffic en masse. We extracted Tier 1 C2 lists from Emotet samples and applied these IOCs in netflow monitoring in our global internet infrastructure, where one potential Tier 2 C2 was found:
The Emotet botnet is divided into separate Epochs, Epoch 1, 2 and 3, which all have their own separate Tier 1 C2 infrastructure2. The Tier 1 C2s in the picture above belong to Epoch 2.
A Shodan lookup of the services of the Tier 2 C2 showed the following setup of HTTP services:
At this point in the investigation, we assumed that the above was the standard setup for all Tier 2 C2s and automated the analysis of outgoing traffic from Tier 1 C2s to find new Tier 2 C2s. We found new ones by selecting traffic where:
- the source IP is an Emotet Tier 1 C2
- the destination port is TCP/80 and is running a NGINX service, with the error message ‘HTTP 404 Not found’
- the destination IP is also running an Apache service which gives ‘HTTP 200 OK’ status message over port TCP/8080
Observed backends
With our new workflow established, we’ve observed 16 Tier 2 C2 servers with incoming Tier 1 C2 traffic of their respective associated Epoch:
- eight Tier 2 C2s belong to Epoch 1
- five Tier 2 C2s belong to Epoch 2
- three Tier 2 C2s belong to Epoch 3
With the following hosting providers used:
- seven using Serverius Holding
- five using GloboTech
- two using Worldstream
- one using PnS Hostings
- one using RealHosters
The graphs below show the timelines for when each Tier 2 C2 is receiving connections from Tier 1 C2s grouped by each Epoch. The Y-axis is the number of connecting Tier 1 C2s and the X-axis is the timeline. The colored lines each represent a Tier 2 C2.
Epoch 1:
Comment:
Based on the synchronization in time when old Tier 2 C2s disappear and new Tier 2 C2s appear, there are two separate Tier 2 C2 infrastructures for Epoch 1 in use at the same time: 37.252.15.50 -> 185.180.223.70 and 72.10.162.83 -> 72.10.162.84-> 72.10.162.85-> 72.10.162.86.
Epoch 2:
Comment:
The new Tier 2 C2s appear at the same time or a little before the old one goes down. The overlap with two Tier 2 C2 active at the same time is noteworthy.
Epoch 3:
Comment:
The IP 134.119.194.179 has for a very long time been utilized as a Tier 2. The IP 37.252.14.29 has a low utilization of connecting Tier 1 C2s.
From the analysis above, the following Tier 2 IPs were excluded due to their short time-span and low amount of connecting Tier 1 C2s, indicating them to possibly be inactive:
- 37.252.15.52
- 37.252.14.109
- 185.180.223.114
Theories on administration
Our analysts have three main theories on how the actor behind Emotet administers the Tier 2 C2 servers:
Theory 1 – Apache TCP/8080
An administration panel and/or API access exposed over Apache TCP/8080 which the actor connects to. No network traffic in our global internet infrastructure supporting this theory has been seen.
Theory 2 – NGINX TCP/80
The hosting of an administration panel and/or API access over the same port that they receive C2 traffic. This would make it easier for the actor to hide their tracks by possibly tunneling their traffic through Tier 1 C2s towards Tier 2 C2s.
Theory 3 - A Tier 3 C2
Tier 2 C2s forwarding their traffic towards a central Tier3 C2 which has data for all three Epochs. No outgoing traffic from Tier 2 C2s inside of our global internet infrastructure has been observed supporting this and it’s seen as very unlikely.
Closing thought on theories
The overlaps observed in the Tier 2 C2 infrastructure with multiple Tier 2 C2s being active at the same time indicates an additional complexity. Based on netflow monitoring of our global internet infrastructure, theory 2 is found to be most likely, but forensics of Tier 2 C2s would be needed in order to confirm this theory.
Conclusion
We have reliably been able to follow the changes in the use of Tier 2 servers in the Emotet network infrastructure. It’s noteworthy how one of the largest threat actors today can largely operate undisturbed with Tier 2 servers having uptime of multiple months. This research is useful when planning takedown actions, but also in understanding threat actors' operations and improving the detection capabilities that we have in customer environments.
In the recently released 2020 Global Threat Intelligence Report, our researchers and thought leaders share statistics and trends from the previous year. A key theme in this year’s report is ‘Threat actors are innovating and evolving their tradecraft’. Read more about how automation, multi-stage payloads and custom targeted malware are changing the threat landscape here.
References
2 https://isc.sans.edu/forums/diary/Emotet+epoch+1+infection+with+Trickbot+gtag+mor84/25752/
