The notorious Emotet malware has been upgraded and now has the ability to install Cobalt Strike beacons directly – a move that can let threat actors make ransomware deployment imminent.
Emotet is an infamous malware infection threat that spreads via phishing emails that contain malicious Microsoft Word or Excel documents. These documents use macros to download and install Emotet on the target device. Emotet is traditionally then used to deploy further malware.
During the initial heigh of its popularity, Emotet would install TrickBot or Qbot on infected devices. These trojans would then deploy Cobalt Strike.
Cobalt Strike is a legitimate pentesting tool, that allows attackers to deploy a “beacon” on a target device to perform further commands or start remote network surveillance.
Despite its use in legitimate penetration testing companies, Cobalt Strike is popular amongst hackers who use cracked versions as part of their network breaches and is commonly used in ransomware attacks.
Cryptolaemus, the most significant Emotet research group, warned that Emotet malware is now skipping the primary payload of TrickBot or Qbot, and instead of performing a direct install of Cobalt Strike.
A flash alert sent by security firm Cofense to researchers at BleepingComputer explained that a new, limited number of Emotet infections install Cobalt Strike, and then attempt to contact a remote domain.
“Today, some infected computers received a command to install Cobalt Strike, a popular post-exploitation tool,” warns the Cofense Flash Alert.
“Emotet itself gathers a limited amount of information about an infected machine, but Cobalt Strike can be used to evaluate a broader network or domain, potentially looking for suitable victims for further infection such as ransomware.”
“While the Cobalt Strike sample was running, it attempted to contact the domain lartmana[.]com. Shortly afterward, Emotet uninstalled the Cobalt Strike executable.”
What makes this change in attack vector significant is that it in the past, victims had some time to detect the infection before Cobalt Strike was deployed.
Now that the initial deployment is skipped, hackers will have access right away to spread laterally, steal data, and deploy ransomware.
“This is a big deal. Typically Emotet dropped TrickBot or QakBot, which in turn dropped CobaltStrike. You’d usually have about a month between first infection and ransomware. With Emotet dropping CS directly, there’s likely to be a much much shorter delay,” security researcher Marcus Hutchins tweeted about the development.
This move will speed up ransomware deployment on compromised networks, bypassing a waiting period in which IT teams could remedy potential infections. This is especially true for the Conti ransomware gang who convinced the Emotet operators to relaunch after they were shut down by law enforcement in January.
Cofense says that it is unclear if this is a test, being used by Emotet for their own network surveillance, or is part of an attack chain for other malware families that partner with the botnet.
“We don’t know yet whether the Emotet operators intend to gather data for their own use, or if this is part of an attack chain belonging to one of the other malware families. Considering the quick removal, it might have been a test, or even unintentional.” Cofense stated.
Protection Against Emotet
There are several tools internet users should use to increase their online protection. One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.