The operators of the Emotet banking trojan have spent the last two months taking over routers and IoT devices in order to build a cocoon around their botnet.
This marks the first time malware has been seen using infected routers and IoT devices as intermediary points for communications between infected computers and the malware’s command-and-control (C&C) servers.
The idea is that a Windows computer infected with Emotet would send all the data acquired from infected hosts to these routers and IoT devices, which would then relay the information to the real Emotet C&C servers. The opposite is also valid, with the Emotet gang sending commands to the infected smart devices, which relay it to infected hosts.
By doing this, the Emotet gang is hoping to hide the real location of their command infrastructure and prevent security researchers, hosting providers, and authorities from taking down parts of their botnet.