Skip to content

Example of Emotet Detection

Example of Emotet Detection

You are here:
< All Topics
Table of Contents

There are open-source methods to fingerprint Emotet on the network layer using JA3 and JA3S but attackers keep changing the TLS information to hide and the open-source approach of JA3 makes it easy to bypass and hard to adapt to the changing behavior
Barac works on the network layer, we collect TLS and traffic metadata then combine them with machine learning and behavioral analytics to be able to detect malware (including Dridex) and abnormal behaviors. We noticed that even when changing the C&C IP, the toolkit used to connect or the tool used on the affected server, there are signs and behaviors that stay the same for all the connections. These metrics or indicators combined with powerful machine learning algorithms can be used to detect a signature of EMOTET on encrypted traffic without decryption: