Emotet now installs Cobalt Strike beacons

The researchers warn that Emotet now directly installs Cobalt Strike beacons on infected systems, providing immediate access to the network for attackers. Those can use it for lateral movement, which will greatly facilitate extortion attacks.

Let me remind you that usually Emotet installs TrickBot or Qbot malware on the victim’s machines, and that one already deploys Cobalt Strike and performs other malicious actions. Now, the Cryptolaemus research group has warned that Emotet skips the installation of TrickBot or Qbot and directly installs Cobalt Strike beacons on infected devices.

Cryptolaemus is a group of more than 20 information security specialists from all over the world, who united back in 2018 for a common goal – to fight against Emotet malware.

This information was confirmed to the journalists of Bleeping Computer by the specialists of the information security company Cofense.

Some of the infected computers were instructed to install Cobalt Strike, a popular post-exploitation tool. Emotet itself collects a limited amount of information about the infected machine, but Cobalt Strike can be used to evaluate a broader network or domain assessment, looking for suitable victims for further infection, such as ransomware.experts say.

While Cobalt Strike was trying to contact the lartmana[.]сom domain, and shortly thereafter, Emotet was deleting the Cobalt Strike executable.”

In fact, this means that attackers now have immediate access to the network for lateral movement, data theft, and rapid ransomware deployment. The rapid deployment of Cobalt Strike is expected to speed up the deployment of ransomware on compromised networks as well.

It is very serious. Usually, Emotet will reset the TrickBot or QakBot, which in turn will reset the CobaltStrike. In a normal situation, you have about a month between the first infection and the extortion. With Emotet dropping CS directly, this delay is likely to be much shorter.security specialist Markus Hutchins warns on Twitter.

Cofense experts, in turn, report that it is not yet clear whether what is happening is a test of the Emotet operators themselves, or if it is part of a chain of attacks by another malware that cooperates with the botnet.

We do not yet know if the Emotet operators intend to collect the data for their own use, or if it is part of a chain of attacks belonging to one of the other families of malware. Given the quick removal, it could have been a test, or even an accident.the experts summarize, promising to continue monitoring further.

Let me remind you that I also reported that Trojan Emotet is trying to spread through available Wi-Fi networks.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *