Emotet directly drops Cobalt Strike beacons without intermediate Trojans

The Emotet malware continues to evolve, in the latest attacks, it directly installs Cobalt Strike beacons to give the attackers access to the target network.

Emotet malware now directly installs Cobalt Strike beacons to give the attackers immediate access to the target network and allow them to carry out malicious activities, such as launching ransonware attacks.

In a classic attack chain, the Emotet malware would install the TrickBot or Qbot trojans on infected devices, which in turn would deploy Cobalt Strike on an infected system.

Emotet research group Cryptolaemus recently noticed a switch in the tactics of Emotet operators, which now are directly installing Cobalt Strike beacons on infected devices without installing the above intermediate Trojans.

Reducing the attack chain will allow the threat actors to rapidly move to the second stage of the attack, such as installing ransomware on the infected network.

A Flash Alert shared by security firm Cofense with Bleeping Computer confirms the new technique used in the attacks.

“While the Cobalt Strike sample was running, it attempted to contact the domain lartmana[.]com. Shortly afterward, Emotet uninstalled the Cobalt Strike executable.” reads the alert.

Cofense researchers speculate the new attack chain might have been a test, or even unintentional, anyway the researchers will continue to monitor the evolution of the tactics for Emotet operators.

Early this year, law enforcement and judicial authorities worldwide conducted a joint operation, named Operation Ladybird, which disrupted the EMOTET botnet. At the time the investigators have taken control of its infrastructure in an international coordinated action. 

This operation was the result of a joint effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.

The law enforcement agency was able to take over at least 700 servers used as part of the Emotet botnet’s infrastructure. The FBI collected millions of email addresses used by Emotet operators in their malware campaigns as part of the cleanup operation.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as Conti, ProLock, Ryuk, and Egregor.

In mid-November researchers from multiple cybersecurity firms ([Cryptolaemus], [GData], and [Advanced Intel]) reported that threat actors are using the TrickBot malware to drop an Emoted loader on infected devices. The experts tracked the campaign aimed at rebuilding the Emotet botnet using TrickBot’s infrastructure as Operation Reacharound.

Researchers from AdvIntel believe that the return will have a significant impact on the ransomware operations in the threat landscape, likely “the largest threat ecosystem shift in 2021” and beyond due to three reasons:

1. Emotet’s unmatched continuous loader capabilities
2. The correlation between these capabilities and the demanded of the contemporary cybercrime market
3. The return of the TrickBot-Emotet-Ransomware triad resulted from the first two points.

The Emotet botnet was resurrected by its former operator, who was convinced by the Conti ransomware gang. The shutdown of the Emotet operation resulted in the lack of high-quality initial access brokers.

Qbot and TrickBot used Emotet’s service to deploy multiple ransomware strains, including Conti, DoppelPaymer, Egregor, ProLock, Ryuk, and others).

The vacuum left by Emotet shutdown urged its resurgence, for this reason, its return will have a major impact on the threat landscape.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]