Tuesday, December 01, 2020

Exposing Emotet's Modern Infrastructure - A Case Study on Tracking Down and Shutting Down Abusive Malware In Direct Cooperation with Abuse Departments


In this post I'll officially attempt to bring down and take offline the Emotet botnet including to actually provide never-published before OSINT type of research analysis on the actual C&C infrastructure behind the Emotet botnet which is one of the most prolific botnets up to present day with the idea to attempt a coordinated take down attempt in direct cooperation with multiple international ISPs and their associated abuse departments for the purpose of bringing it offline.


Sample Emotet known C&C infrastructure servers:

hxxp://109.123.78.10

hxxp://66.54.51.172

hxxp://108.161.128.103

hxxp://195.210.29.237

hxxp://5.35.249.46

hxxp://5.159.57.195

hxxp://206.210.70.175

hxxp://88.80.187.139

hxxp://188.93.174.136

hxxp://130.133.3.7

hxxp://162.144.79.192

hxxp://79.110.90.207

hxxp://72.18.204.17

hxxp://212.129.13.110

hxxp://66.228.61.248

hxxp://193.171.152.53

hxxp://129.187.254.237

hxxp://178.248.200.118

hxxp://133.242.19.182

hxxp://195.154.243.237

hxxp://80.237.133.77

hxxp://158.255.238.163

hxxp://91.198.174.192

hxxp://46.105.236.18

hxxp://205.186.139.105

hxxp://72.10.49.117

hxxp://133.242.54.221

hxxp://198.1.66.98

hxxp://148.251.11.107

hxxp://213.208.154.110

hxxp://192.163.245.236

hxxp://88.80.189.50

hxxp://185.46.55.88

hxxp://173.255.248.34

hxxp://104.219.55.50

hxxp://200.159.128.19

hxxp://198.23.78.98

hxxp://70.32.92.133

hxxp://192.163.253.154

hxxp://192.138.21.214

hxxp://106.187.103.213

hxxp://162.144.80.214

hxxp://128.199.214.100

hxxp://69.167.152.111

hxxp://46.214.107.142

hxxp://195.154.176.172

hxxp://106.186.17.24

hxxp://74.207.247.144

hxxp://209.250.6.60

hxxp://142.34.138.90

hxxp://74.217.254.29

hxxp://212.48.85.224

hxxp://167.216.129.13

hxxp://91.194.151.38

hxxp://162.42.207.58

hxxp://104.28.17.67

hxxp://8.247.6.134

hxxp://5.9.189.24

hxxp://78.129.213.41

hxxp://184.86.225.91

hxxp://107.189.160.196

hxxp://88.208.193.123

hxxp://50.56.135.44

hxxp://184.106.3.194

hxxp://185.31.17.144

hxxp://67.19.105.107

hxxp://218.185.224.231


Including the following C&C infrastructure servers part of Emotet's C&C infrastructure:

103.201.150.209

104.131.11.150

104.131.208.175

104.236.151.95

104.236.246.93

104.236.99.225

105.224.171.102

109.104.79.48

109.73.52.242

111.67.12.221

112.72.9.242

115.124.109.85

115.71.233.127

117.218.133.244

125.99.106.226

125.99.61.162

128.199.78.227

134.196.209.126

136.243.177.26

138.201.140.110

138.219.214.164

138.68.106.4

142.4.198.249

142.93.88.16

144.139.247.220

147.135.210.39

149.62.173.247

159.203.204.126

159.65.241.220

159.65.25.128

162.144.119.216

162.217.250.243

162.243.125.212

167.114.210.191

169.239.182.217

170.247.122.37

173.212.203.26

174.136.14.100

175.100.138.82

176.250.213.131

176.31.200.136

177.242.214.30

177.246.193.139

178.62.37.188

178.79.161.166

178.79.163.131

179.14.2.75

179.32.19.219

179.40.105.76

181.134.105.191

181.15.180.140

181.15.243.22

181.16.127.226

181.171.118.19

181.189.213.231

181.198.67.178

181.231.72.200

181.28.144.64

181.28.248.205

181.39.134.122

181.48.174.242

183.82.97.25

185.129.93.140

185.86.148.222

185.94.252.27

186.138.56.183

186.144.64.31

186.22.209.16

186.23.146.42

186.23.18.211

186.4.167.166

186.4.234.27

186.83.133.253

186.86.177.193

187.149.41.205

187.163.180.243

187.163.222.244

187.178.9.19

187.188.166.192

187.189.195.208

187.242.204.142

188.166.253.46

189.180.84.115

189.196.140.187

189.209.217.49

190.1.37.125

190.102.226.91

190.112.228.47

190.113.233.4

190.117.206.153

190.145.67.134

190.147.12.71

190.186.203.55

190.186.221.50

190.189.112.116

190.189.204.100

190.19.42.131

190.193.131.141

190.230.60.129

190.246.166.217

190.25.255.98

190.36.88.98

190.55.39.215

190.72.136.214

190.97.10.198

191.97.116.232

195.242.117.231

196.6.112.70

197.211.244.6

198.58.114.91

200.107.105.16

200.123.101.90

200.24.248.206

200.28.131.215

200.32.61.210

200.43.231.10

200.57.102.71

200.58.171.51

200.58.83.179

200.80.198.34

200.85.46.122

201.199.89.223

201.212.24.6

201.219.183.243

201.220.152.101

201.231.44.78

201.238.152.20

201.251.229.37

201.252.229.169

202.83.16.150

203.25.159.3

205.186.154.130

206.189.98.125

211.63.71.72

212.71.234.16

213.120.104.180

216.98.148.136

216.98.148.156

217.113.27.158

217.13.106.160

217.92.171.167

219.74.237.49

222.214.218.136

222.214.218.192

225.153.252.228

77.122.183.203

109.123.78.10

66.54.51.172

108.161.128.103

195.210.29.237

5.35.249.46

5.159.57.195

206.210.70.175

88.80.187.139

188.93.174.136

130.133.3.7

162.144.79.192

79.110.90.207

72.18.204.17

212.129.13.110

66.228.61.248

193.171.152.53

129.187.254.237

178.248.200.118

133.242.19.182

195.154.243.237

80.237.133.77

158.255.238.163

91.198.174.192

46.105.236.18

205.186.139.105

72.10.49.117

133.242.54.221

198.1.66.98

148.251.11.107

213.208.154.110

192.163.245.236

88.80.189.50

185.46.55.88

173.255.248.34

104.219.55.50

200.159.128.19

198.23.78.98

70.32.92.133

192.163.253.154

192.138.21.214

106.187.103.213

162.144.80.214

128.199.214.100

69.167.152.111

46.214.107.142

195.154.176.172

106.186.17.24

74.207.247.144

209.250.6.60

142.34.138.90

74.217.254.29

212.48.85.224

167.216.129.13

91.194.151.38

162.42.207.58

104.28.17.67

8.247.6.134

5.9.189.24

78.129.213.41

184.86.225.91

107.189.160.196

88.208.193.123

50.56.135.44

184.106.3.194

185.31.17.144

67.19.105.107

218.185.224.231

Sample actionable intelligence on Emotet's C&C infrastructure:






Abuse Departments Primary Contact Points Involved in this Take Down Campaign Include:
noc@premianet.com
eig-abuse@endurance.com
cschelp@gov.bc.ca
complaints@cari.net
abuse@youbroadband.in
abuse@websupport.sk
abuse@webfusion.com
abuse@vps.net
abuse@trueinternet.co.th
abuse@tpnet.co.nz
abuse@telstra.net
abuse@telkomsa.net
abuse@tektonic.net
abuse@softlayer.com
abuse@skymedia.mn
abuse@sky.uk
abuse@rackspace.com
abuse@ovh.net
abuse@ovh.ca
abuse@nextlayer.at
abuse@netnames.com
abuse@mediatemple.net
abuse@lrz.de
abuse@liquidweb.com
abuse@linode.com
abuse@hetzner.com
abuse@hathway.net
abuse@fu-berlin.de
abuse@fasthosts.co.uk
abuse@expedient.com
abuse@dxc.com
abuse@dion.ne.jp
abuse@digitalocean.com
abuse@contabo.de
abuse@cloudflare.com
abuse@btopenworld.com
abuse@bluehost.com
abuse@atlantic.net
abuse@as47195.net
abuse@akamai.com
abuse@actcorp.in
abuse@123-reg.co.uk
sainfo@netsuite.com
support@premianet.com
noc@inap.com
noc@cybertrails.net
ipaddressing@level3.com
info@mellowhost.com
ipadmin@gov.bc.ca
network@cari.net
admin@armourcloud.io
gr.sridhar@youbroadband.co.in
info@websupport.sk
abuse@uk2group.com
ipadmin@trueinternet.co.th
tim@initech.co.nz
addressing@telstra.net
pieter@saix.net
abuse@telekom.de
matta@tektonic.net
abuse@ta.telecom.com.ar
ipadmin@softlayer.com
curtis1977@us.ibm.com
soyoloo@skymedia.mn
hostmaster@sky.uk
abuse@rapidswitch.com
hostmaster@rackspace.com
noc@ovh.net
abuse@online.net
ripe@online.net
noc@nextlayer.at
sys-ripe@netnames.com
dnsadmin@mediatemple.net
ipadmin@lrz.de
ipadmin@liquidweb.com
support@linode.com
abuse@hostturka.com
abuse@hostopia.com.au
ripe@hetzner.com
abuse@hekko.pl
vijaym@hathway.net
admin-c@fu-berlin.de
networks@fasthosts.com
ipm@expedient.com
abuse@esds.co.in
ipaddr@dxc.com
rir@cloudflare.com
btretail.ipam@bt.com
eig-net-team@endurance.com
eig-noc@endurance.com
ip-admin@atlantic.net
noc@as47195.net
ip-admin@akamai.com
tech.support@incredible.actcorp.in
ip-admin@actcorp.in
ripe@webfusion.com
sknetwork2012@gmail.com
hostmaster@twl-kom.de
idc_sales@daou.co.kr
hostmaster@bsnl.in
alejandro@patagoniadata.com.ar
jpinazo@axarnet.es
hello@syn.one
operations@hostafrica.co.za
nestorbonfante66@gmail.com
nic_tech@megacable.com.mx
ipadmin@tigo.com.co
admin.internet.co@telefonica.com
tasamail.ar@telefonica.com
adminternet@une.net.co
noc@megaservers.de
wimpie@letaba.net
andrew.alston@liquidtelecom.com
domains@send.itto.us
tech@duruan.co.kr
albert@web.am
pda@1b.hu
hostmaster@singnet.com.sg
anti-spam@ns.chinanet.cn.net
avmc@ctvnet.dp.ua
d.pastian@terralink.de
claude.demuth@lu-cix.lu
scharwitzl@bmlv.gv.at
bz@giganet.hu
mass-ripe@heg.com
noc@wikimedia.org
hostmaster@nic.ad.jp
noc@digitalocean.com
noc@next-gen.ro
rir-admin@fastly.com

Sample hostnames acting as Emotet C&C infrastructure servers:

zabbix-sakura2.anthill.jp

www.zedat.fu-berlin.de

www.snowmobile.gov.bc.ca

www.netdoktor.at

www.cceca.ca

www.bmlv.gv.at

www-riedle.transfermarkt.de

wp308.webpack.hosteurope.de

vps.cournoyer17.info

vmh17370.hosting24.com.au

vmd61678.contaboserver.net

universidadedoingles.com.br

twojj.com

trc-200-107-105-16.trcnet.com.ar

text-lb.esams.wikimedia.org

testwerk.org

static.bb.ahd.117.218.133.244.bsnl.in

static.24.189.9.5.clients.your-server.de

static.110.140.201.138.clients.your-server.de

static.107.11.251.148.clients.your-server.de

static-ip-cr1901471271.cable.net.co

static-ip-cablemodem-190.186.221.50.cotas.com.bo

static-ip-cablemodem-190.186.203.55.cotas.com.bo

static-ip-adsl-200.58.171.51.cotas.com.bo

static-200-58-83-179.supernet.com.bo

static-190-25-255-98.static.etb.net.co

snaplive.org

shopping.netsuite.com

server90240.uk2net.com

server88-208-193-123.live-servers.net

server.driveclassic.com

sapper.ethii.com

rtw7-rfpn.accessdomain.com

rs250366.rs.hosteurope.de

roadbikesales.com.au

rmolina.mx

rb2.leevee.it

popdesigngroup.com

pd95caba7.dip0.t-ipconnect.de

ovz06.gamesdom.com

ny-1.robbiebyrd.com

ns2.hospemex.com

ns2.datatrust.com.br

niotek.vservers.es

mail2.rhubarb-cs.com

mail.ps4hacked.es

mail.behaplastik.com

lvps109-104-79-48.vps.webfusion.co.uk

li89-144.members.linode.com

li695-139.members.linode.com

li616-91.members.linode.com

li318-248.members.linode.com

li301-131.members.linode.com

li299-166.members.linode.com

lasvegas-nv-datacenter.com

israel-studies.com

ip.77.122.183.203.dynamic.krr.volia.net

host90.200-123-101.static.telmex.net.ar

host37.170-247-122.netacebal.com.ar

host233-004.vccfranck.com.ar

host22.181-15-243.telecom.net.ar

host213-120-104-180.in-addr.btopenworld.com

host190.102.226.91.dynamic.pacificonet.cl

host181-189-213-231.wilnet.com.ar

host169.201-252-229.telecom.net.ar

host140.181-15-180.telecom.net.ar

host129.190-230-60.telecom.net.ar

host.thehiddencollective.com

host-186-4-234-27.netlife.ec

host-186-4-167-166.netlife.ec

host-181-16-127-226.telered.com.ar

hirlevel.uniweb.hu

hh4.secureserver.net.nz

h2041.gfsrv.net

gbg1.0x0.network

fixed-187-189-195-208.totalplay.net

enterprise.hellokrd.net

dynamic-ip-18686177193.cable.net.co

dynamic-ip-18683133253.cable.net.co

dynamic-ip-1861446431.cable.net.co

dsrecordings.com

dsl-189-180-84-115-dyn.prod-infinitum.com.mx

dsl-187-149-41-205-dyn.prod-infinitum.com.mx

dmj.southo.net

dinamic-tigo-179-14-2-75.tigo.com.co

customer.megaservers.de

customer-tgz-204-142.megared.net.mx

customer-smal-140-187.megared.net.mx

customer-qro-214-30.megared.net.mx

customer-col-193-139.megared.net.mx

customer-201-219-183-243.megacable.com.ar

cpe-190-55-39-215.telecentro-reversos.com.ar

cpe-186-23-18-211.telecentro-reversos.com.ar

cpe-186-23-146-42.telecentro-reversos.com.ar

cpe-186-22-209-16.telecentro-reversos.com.ar

comadosa.mx

cm-134-196-209-126.revip18.asianet.co.th

cable-181-134-105-191.une.net.co

bscloud.vps.wbsprt.com

bsbdb01.bsb.lrz.de

broadband.actcorp.in

bcairquality.ca

bb219-74-237-49.singnet.com.sg

b0fad583.bb.sky.com

aol-dial-200-57-102-71.zone-0.ip.static-ftth.axtel.net.mx

act2028316150.broadband.actcorp.in

a184-86-225-91.deploy.static.akamaitechnologies.com

82-138-100-175.static.youbroadband.in

78-44-231-201.fibertel.com.ar

64-144-28-181.fibertel.com.ar

62.4e.17c6.ip4.static.sl-reverse.com

505139.vps-10.com

46-214-107-142.next-gen.ro

40-24-mail.arylump.net

39.ip-147-135-210.eu

368940.customer.zol.co.zw

217-166-246-190.fibertel.com.ar

212-129-13-110.rev.poneytelecom.eu

210.advance.com.ar

205-248-28-181.fibertel.com.ar

201-251-229-37.mrse.com.ar

201-212-24-6.cab.prima.net.ar

200.80.198.34.static.techtelnet.net

200-72-231-181.cab.prima.com.ar

200-28-131-215.baf.movistar.cl

200-159-128-19.winfnet.com.br

20.201-238-152.etapanet.net

198-1-66-98.unifiedlayer.com

195-154-243-237.rev.poneytelecom.eu

195-154-176-172.rev.poneytelecom.eu

192.218.214.222.broad.ab.sc.dynamic.163data.com.cn

192-163-253-154.unifiedlayer.com

192-163-245-236.unifiedlayer.com

190-97-10-198.bvconline.com.ar

190-72-136-214.dyn.dsl.cantv.net

190-36-88-98.dyn.dsl.cantv.net

190-1-37-125.bvconline.com.ar

19-118-171-181.fibertel.com.ar

189-209-217-49.static.axtel.net

187-178-9-19.dynamic.axtel.net

187-163-222-244.static.axtel.net

187-163-180-243.static.axtel.net

183-56-138-186.fibertel.com.ar

179-40-105-76.mrse.com.ar

164.214.219.138.dynamic.grupoequis.com.ar

162-144-80-214.unifiedlayer.com

162-144-79-192.unifiedlayer.com

162-144-119-216.unifiedlayer.com

141-131-193-190.cab.prima.net.ar

136.218.214.222.broad.ab.sc.dynamic.163data.com.cn

131-42-19-190.fibertel.com.ar

116-112-189-190.cab.prima.net.ar

105-224-171-102.south.dsl.telkomsa.net

101.152.220.201.itc.com.ar

100-204-189-190.cab.prima.net.ar

Stay tuned!

No comments:

Post a Comment