Cobalt Strike Is Being Installed by Emotet for Faster Attacks
This Comes Soon After Emotet Started to Test Installing Cobalt Strike Beacons on Infected Devices Instead of Their Regular Payloads.
Emotet belongs to the malware strain known as banking Trojans, and it primarily spreads through malspam.
The messages used by Emotet often contain familiar branding, mimicking the email format of well-known and trusted companies to convince users.
What Is Happening?
The infamous Emotet worm is directly installing Cobalt Strike beacons for fast assaults. Historically, after infecting a device, Emotet will grab a victim’s email to utilize in future campaigns before dropping malware payloads such as TrickBot and Qbot.
It’s interesting to note that, as reported by BleepingComputer, earlier this month, Emotet began testing the installation of Cobalt Strike beacons instead of conventional payloads on compromised devices.
This test was short, and the threat actors quickly resumed their usual payload distribution.
Spamming stopped last week on Thursday, and since then, they have been quiet with very little of ANYTHING going on until today.
However, Cryptolaemus is now advising that threat actors have resumed deploying Cobalt Strike beacons on Emotet-infected devices as of today.
It seems that Emotet is now downloading Cobalt Strike modules straight from its command and control server and running them on the compromised device.
Threat actors that utilize Cobalt Strike beacons to spread laterally through a network, steal files, and deliver malware will have quick access to infiltrated networks with Emotet’s direct installation of them.
This approach will hasten the delivery of assaults and it may result in multiple breaches as organizations now have fewer people to monitor for and respond to attacks.
The virus connects with the attacker’s command and control servers through a bogus ‘jquery-3.3.1.min.js’ file in a sample of the Cobalt Strike beacon provided with BleepingComputer.
Each time the virus interacts with the C2, it will try to download the jQuery file, which will have a variable modified with new instructions.
Because the majority of the file is valid jQuery source code with just minor changes, it blends in with legitimate traffic and makes it simpler to avoid detection by security tools.
The quick deployment of Cobalt Strike via Emotet is an important development that should be noted by all Windows and network administrators, as well as security specialists.
How Can Heimdal™ Protect You?
Heimdal™ has always the most efficient solutions ready to help secure your organization’s critical infrastructure. You can use tools like Email Security and Email Fraud Prevention. The first protects against mail-delivered threats and supply chain attacks by means of a combination of proprietary e-mail threat prevention and Office 365 support, the second keeps Business Email Compromise (BEC), CEO fraud, and phishing away through its 125 vectors of analysis.