Emotet now drops Cobalt Strike, fast forwards ransomware attacks
SonicWall ‘strongly urges’ customers to patch critical SMA 100 bugs
Grafana fixes zero-day vulnerability after exploits spread over Twitter
Microsoft starts rolling out redesigned Notepad for Windows 11
Amazon is shutting down web ranking site Alexa.com
New Windows 11 Voice Access lets you control the OS with your voice
Windows 11 can now install WSL from the Microsoft Store
Microsoft: Secured-core servers help prevent ransomware attacks
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Toksearches.xyz Search Redirect
Remove the Smashapps.net Search Redirect
Remove the Smashappsearch.com Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
In a concerning development, the notorious Emotet malware now installs Cobalt Strike beacons directly, giving immediate network access to threat actors and making ransomware attacks imminent.
Emotet is a malware infection that spreads through spam emails containing malicious Word or Excel documents. These documents utilize macros to download and install the Emotet Trojan on a victim’s computer, which is then used to steal email and deploy further malware on the device.
Historically, Emotet would install the TrickBot or Qbot trojans on infected devices. These Trojans would eventually deploy Cobalt Strike on an infected device or perform other malicious behavior.
Cobalt Strike is a legitimate penetration testing toolkit that allows attackers to deploy “beacons” on compromised devices to perform remote network surveillance or execute further commands.
However, Cobalt Strike is very popular among threat actors who use cracked versions as part of their network breaches and is commonly used in ransomware attacks.
Today, Emotet research group Cryptolaemus warned that Emotet is now skipping their primary malware payload of TrickBot or Qbot and directly installing Cobalt Strike beacons on infected devices.
WARNING  We have confirmed that #Emotet is dropping CS Beacons on E5 Bots and we have observed the following as of 10:00EST/15:00UTC. The following beacon was dropped: https://t.co/imJDQTGqxV Note the traffic to lartmana[.]com. This is an active CS Teams Server. 1/x
A Flash Alert shared with BleepingComputer by email security firm Cofense explained that a limited number of Emotet infections installed Cobalt Strike, attempted to contact a remote domain, and then was uninstalled.
“Today, some infected computers received a command to install Cobalt Strike, a popular post-exploitation tool,” warns the Cofense Flash Alert.
“Emotet itself gathers a limited amount of information about an infected machine, but Cobalt Strike can be used to evaluate a broader network or domain, potentially looking for suitable victims for further infection such as ransomware.”
“While the Cobalt Strike sample was running, it attempted to contact the domain lartmana[.]com. Shortly afterward, Emotet uninstalled the Cobalt Strike executable.”
This is a significant change in tactics as after Emotet installed its primary payload of TrickBot or Qbot, victims typically had some time to detect the infection before Cobalt Strike was deployed.
Now that these initial malware payloads are skipped, threat actors will have immediate access to a network to spread laterally, steal data, and quickly deploy ransomware.
“This is a big deal. Typically Emotet dropped TrickBot or QakBot, which in turn dropped CobaltStrike. You’d usually have about a month between first infection and ransomware. With Emotet dropping CS directly, there’s likely to be a much much shorter delay,” security researcher Marcus Hutchins tweeted about the development.
This rapid deployment of Cobalt Strike will likely speed up ransomware deployment on compromised networks. This is especially true for the Conti ransomware gang who convinced the Emotet operators to relaunch after they were shut down by law enforcement in January.
Cofense says that it is unclear if this is a test, being used by Emotet for their own network surveillance, or is part of an attack chain for other malware families that partner with the botnet.
“We don’t know yet whether the Emotet operators intend to gather data for their own use, or if this is part of an attack chain belonging to one of the other malware families. Considering the quick removal, it might have been a test, or even unintentional.” – Cofense.
Researchers will closely monitor this new development, and as further information becomes available, we will update this article.
Microsoft Defender scares admins with Emotet false positives
Hackers target biomanufacturing with stealthy Tardigrade malware
Malware now trying to exploit new Windows Installer zero-day
Emotet botnet comeback orchestrated by Conti ransomware gang
Here are the new Emotet spam campaigns hitting mailboxes worldwide
Not a member yet? Register Now
Google disrupts massive Glupteba botnet, sues Russian operators
Grafana fixes zero-day vulnerability after exploits spread over Twitter
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

FTC shares ransomware defense tips for small US businesses

AMD fixes dozens of Windows 10 graphics driver security bugsVoid Balaur hackers-for-hire…

Malicious KMSPico installers steal your cryptocurrency wallets

Microsoft offers 50% subscription discounts to Office piratesRussian hacking group uses new…

STOP Ransomware vaccine released to block encryption

Grafana fixes zero-day vulnerability after exploits spread over TwitterGoogle disrupts massive Glupteba…

Russian ransomware gangs start collaborating with Chinese hackers

US, UK warn of Iranian hackers exploiting Microsoft Exchange, FortinetRussian ransomware gangs…