The Emotet malware continues to evolve, in the latest attacks, it directly installs Cobalt Strike beacons to give the attackers access to the target network.

Emotet malware now directly installs Cobalt Strike beacons to give the attackers immediate access to the target network and allow them to carry out malicious activities, such as launching ransonware attacks.

In a classic attack chain, the Emotet malware would install the TrickBot or Qbot trojans on infected devices, which in turn would deploy Cobalt Strike on an infected system.

Emotet research group Cryptolaemus recently noticed a switch in the tactics of Emotet operators, which now are directly installing Cobalt Strike beacons on infected devices without installing the above intermediate Trojans.

WARNING We have confirmed that #Emotet is dropping CS Beacons on E5 Bots and we have observed the following as of 10:00EST/15:00UTC. The following beacon was dropped: https://t.co/imJDQTGqxV Note the traffic to lartmana[.]com. This is an active CS Teams Server. 1/x— Cryptolaemus (@Cryptolaemus1) December 7, 2021Reducing the attack chain will allow the threat actors to rapidly move to the second stage of the attack, such as installing ransomware on the infected network.

Also note the strange fingerprint of 0. The full config observed here H/T: @TheHack3r4chan https://t.co/A95yCGN8yt What does this mean? This means the game has changed and Ivan has shortened the pipeline to exfil/Ransomware substantially. 2/x— Cryptolaemus (@Cryptolaemus1) December 7, 2021A Flash Alert shared by security firm Cofense with Bleeping Computer confirms the new technique used in the attacks.

“While the Cobalt Strike sample was running, it attempted to contact the domain lartmana[.]com. Shortly afterward, Emotet uninstalled the Cobalt Strike executable.” reads the alert.

This is a big deal. Typically Emotet dropped TrickBot or QakBot, which in turn dropped CobaltStrike. You’d usually have about a month between first infection and ransomware. With Emotet dropping CS directly, there’s likely to be a much much shorter delay. https://t.co/QHGU4oq9Zi— MalwareTech (@MalwareTechBlog) December 7, 2021Cofense researchers speculate the new attack chain might have been a test, or even unintentional, anyway the researchers will continue to monitor the evolution of the tactics for Emotet operators.

Early this year, law enforcement and judicial authorities worldwide conducted a joint operation, named Operation Ladybird, which disrupted the EMOTET botnet. At the time the investigators have taken control of its infrastructure in an international coordinated action. 

This operation was the result of a joint effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.

The law enforcement agency was able to take over at least 700 servers used as part of the Emotet botnet’s infrastructure. The FBI collected millions of email addresses used by Emotet operators in their malware campaigns as part of the cleanup operation.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as Conti, ProLock, Ryuk, and Egregor.

In mid-November researchers from multiple cybersecurity firms ([Cryptolaemus], [GData], and [Advanced Intel]) reported that threat actors are using the TrickBot malware to drop an Emoted loader on infected devices. The experts tracked the campaign aimed at rebuilding the Emotet botnet using TrickBot’s infrastructure as Operation Reacharound.

Researchers from AdvIntel believe that the return will have a significant impact on the ransomware operations in the threat landscape, likely “the largest threat ecosystem shift in 2021” and beyond due to three reasons:

Emotet’s unmatched continuous loader capabilitiesThe correlation between these capabilities and the demanded of the contemporary cybercrime marketThe return of the TrickBot-Emotet-Ransomware triad resulted from the first two points.The Emotet botnet was resurrected by its former operator, who was convinced by the Conti ransomware gang. The shutdown of the Emotet operation resulted in the lack of high-quality initial access brokers.

Qbot and TrickBot used Emotet’s service to deploy multiple ransomware strains, including Conti, DoppelPaymer, Egregor, ProLock, Ryuk, and others).

The vacuum left by Emotet shutdown urged its resurgence, for this reason, its return will have a major impact on the threat landscape.

Follow me on Twitter: @securityaffairs and Facebook

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, malware)

The post Emotet directly drops Cobalt Strike beacons without intermediate Trojans appeared first on Security Affairs.