Dridex and Emotet infrastructure overlaps

by Security division of NTT Ltd.

03 July 2020

Person typing on a keyboard

In the fall of 2018, NTT Ltd. added botnet infrastructure detection capabilities to its Managed Security Services (MSS) and threat detection services.

In the initial press release, there were limited details released on how our machine learning system leverages our access to NTT Ltd.’s global network infrastructure. We own and operates one of the world's largest tier-1 IP backbone having insight into a significant portion of the global internet traffic and is consistently ranked among the top five network providers in the world.

In this blog post, we’ll explain how our threat detection analysts used netflow data captured from our global internet infrastructure to uncover the previously unstudied layered network approach the operators of Dridex use, and its unexpected overlap with the Emotet infrastructure.

Once upon a time when analysing Emotet traffic

It was observed by threat detection analysts that an Emotet C2 server was repeatedly communicating with the IP over port TCP/38400. This was an abnormality in the Emotet network infrastructure behaviour we’d seen so far.

In response to this abnormality, our threat detection team opened an investigation in an attempt to identify the purpose and behaviour of

During long term monitoring and analysis of netflow gathered from our global internet infrastructure we observed multiple malware families communicating with the IP over the same port, TCP/38400. The below image summarizes our observations:

Technical diagram

In numbers, we observed the following to speak with over TCP/38400:

  • 10 Emotet epoch 2 C2s
  • 4 Emotet epoch 3 C2s
  • 7 Dridex C2s

Analysis of available Open-source intelligence (OSINT) shows that has been used by the group TA505 at 2019-06-20 to distribute the malware FlawedAmmyy1 2. The hosting company that the IP belongs to, Private Layer Inc, is an offshore hosting company which has been observed to be utilized by threat actors in the past.

The questions start stacking up, what is the purpose of And is it still managed by TA505?

Exploring the connection to TA505

Given that FlawedAmmyy was distributed from at 2019-06-20 it was investigated if TA505 still manages this server. The currently used SSH key was set in the timeframe 2019-06-20 - 2019-07-20 based on historical scanning data as Shodan performs internet wide scans at least once a month3:

Technical diagram

If it was the case that the new SSH key was set at 2019-06-20 it indicates that the same operator which distributed the TA505 tied FlawedAmmy sample is also operating the administration of command and control servers connecting over port 38400.

Dridex has been distributed and used by TA5054, which strengthens the connection.

Going against this theory is that TA505 has no known ties to the Emotet group, which begs the question why they would manage Emotet C2 servers.

Furthermore, no malware families which TA505 is known to use besides Dridex has been seen to communicate with making the connection even weaker.

Based on these observations, it’s believed that the operator of changed after the distribution of FlawedAmmy.

The use case of

Central to the use case behind is knowing when the connecting servers are becoming active C2 servers. If they initially connect to for a duration of time, then stop communicating and becomes active C2 nodes instead, it could indicate that the operator of handover or sale of access to those servers.

On the other hand, if communication between the servers and is ongoing while the servers are active C2s, it implies that has a closer tie to the groups behind Emotet and Dridex.

We don’t believe that the operator behind has coincidently hacked the same servers as the groups behind Emotet and Dridex as the incoming connections towards are almost exclusively Emotet and Dridex C2-servers, i.e. indicating non-randomness in controlled servers.

Dridex C2s activity timeline

Below is a timeline visualizing when it was observed that the Dridex C2s speak with and also when they were included as C2s in Dridex binaries.

Technical diagram

The timeline shows that the majority of the IPs are acting as C2s while they communicate with, which lowers the likelihood of the operator to only handover access of the managed servers to other actors.

Emotet epoch 2 activity timeline

Doing the same analysis with the Emotet epoch 2 C2s shows somewhat inconclusive behaviour:

Technical diagram

It seems that they actively start speaking with after or at the same time they became Emotet C2s. Five C2s with spotty monitoring coverage were excluded from the graph due to too little available netflow capture for timeline analysis.


Our threat detection analysts makes the conclusion that the operator of has strong ties to one of the current groups using the Dridex malware from late December 2019 and is continuing to this day. Threat actors face takedowns of their infrastructure and see a need for persistence and centralized control as seem to be the case here.

The result of this discovery was used by the team to update the threat detection services coverage to monitor for command and control servers in customer environments before they are, if ever, publicly known. The team continuously monitors the underlying network infrastructure behind the operations of threat actors in order to improve our detection capabilities and uncover previously unknown relations.

In the recently released 2020 Global Threat Intelligence Report, our researchers and thought leaders share statistics and trends from the previous year. A key theme in this year’s report is ‘Threat actors are innovating and evolving their tradecraft’. Read more about how Automation, multi-stage-payloads and custom targeted malware are changing the threat landscape here.


Security division of NTT Ltd.