Emotet researchers are warning that emotet now installs Cobalt Strike directly onto infected systems.
“WARNING We have confirmed that #Emotet is dropping CS Beacons on E5 Bots and we have observed the following as of 10:00EST/15:00UTC. The following beacon was dropped: https://t.co/imJDQTGqxV Note the traffic to lartmana[.]com. This is an active CS Teams Server. 1/x”
Emotet is a banking trojan turned into malware infection that spreads through spam emails containing malicious Word or Excel files. Previously, emotet used to install TrickBot or Qbot trojans on infected systems. From thereon these trojans would deploy Cobalt Strike on compromised systems. However, now emotet deploys cobalt strike payloads directly onto infected systems.
Cobalt Strike is a legitimate Pen test (penetration testing) toolkit that deploys “beacons” on infected devices to perform malicious behaviors. It is commonly used in ransomware attacks.
“Emotet itself gathers a limited amount of information about an infected machine, but Cobalt Strike can be used to evaluate a broader network or domain, potentially looking for suitable victims for further infection such as ransomware.”
The main concern is that before emotet used to deploy TrickBot or Qbot on compromised devices and that still gave the victims a window to detect these payloads before Cobalt Strike was deployed. Now, however, these initial payloads are skipped by the malware and Cobalt Strike gives threat actors immediate access to the victim’s network. They can then spread laterally, steal information, and deploy their ransomware.