Emotet Observed Delivering Cobalt Strike Directly to Infected Devices

Last year, Emotet malware was the most prevalent malware threat but a coordinated international law enforcement operation finally resulted in its infrastructure being seized. At the time of the takedown, Europol considered Emotet to be the world’s most dangerous malware and botnet, with the takedown swiftly neutralizing the threat. The hundreds of thousands of infected devices that made up the botnet finally had the malware removed on April 25, 2021. For several months since no Emotet activity has been detected but the botnet has started to be rebuilt at an alarming pace.

Trickbot, which used to be delivered by Emotet as a secondary payload, has been used to rebuild the botnet and it has grown rapidly in size. While not yet believed to be anywhere near the size that it was at the time of the takedown, it is now very much a significant threat. Emotet was known to deliver secondary payloads such as TrickBot and Qbot, with the infections often leading to a ransomware attack. Trickbot and Qbot would often be used to deliver the penetration testing tool Cobalt Strike, which deployed beacons on compromised devices that allowed remote network surveillance and a range of malicious activities, including preparing networks for ransomware attacks.

Now, according to the Emotet research group Cryptolaemus, Emotet is skipping the secondary Trojan payloads and is installing Cobalt Strike beacons directly on Emotet-infected devices. That naturally means the time from Emotet infection to a ransomware attack has been greatly shortened. Security teams will have far less time to detect and mitigate infected devices before Cobalt Strike is deployed. According to security researcher Marcus Hutchins, the time between Emotet dropping TrickBot or Qbot and ransomware being deployed was typically around a month, but now the delay is likely to be far shorter.

Cofense has also recently reported cases of Emotet installing Cobalt Strike, which attempted to connect to a remote domain before Emotet uninstalled Cobalt Strike. Cofense said it is unclear whether the detected Cobalt Strike deployments and uninstallations were conducted as a test on some infected devices, if Cobalt Strike was used by the Emotet gang as part of its own reconnaissance activities, or if Cobalt Strike was deployed as part of the attack chain for other malware families which Emotet is known to partner with.

What is clear is Emotet is once again a major threat and the botnet is continuing to grow and has a more resilient infrastructure to resist any further law enforcement takedowns. Emotet malware is usually delivered using phishing emails with .zip, .docx, and .xlsx attachments, although a campaign has also been detected that uses malicious links in hijacked email threads that direct users to a fake PDF file, which is a windows app installer hosted on Azure that delivers the malware payload.

Author: NetSec Editor