1 min read

Emotet Deploys Cobalt Strike Beacons Directly onto Targets with New Technique

Vlad CONSTANTINESCU

December 09, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Emotet Deploys Cobalt Strike Beacons Directly onto Targets with New Technique

Cybercriminals can now gain instant access to networks compromised by the infamous Emotet malware by installing Cobalt Strike beacons directly on infected machines, a security report revealed this week.

Emotet research group Cryptolaemus has confirmed that, instead of taking the regular route of dropping Cobalt Strike beacons through intermediate QakBot or TrickBot payloads, Emotet now deploys the beacons directly onto compromised devices.

In a typical attack, users would have a more generous timeframe of about a month between the initial infection and ransomware. However, with Emotet skipping the middleman, the delay is likely to be shorter or even non-existent.

Until now, Emotet would only deploy certain trojans onto the targeted devices, such as QBot or TrickBot, which would then let the cybercriminals drop Cobalt Strike beacons or carry out other harmful operations on the systems.

Emotet, deemed one of the most dangerous malware strains in the world, spreads mainly through spam emails, macro-enabled Word or Excel documents, and malicious scripts and links.

Even though Cobalt Strike has been historically used as a legitimate penetration testing solution, threat actors have been using cracked versions to deploy beacons on vulnerable devices for various malicious purposes, such as unauthorized remote network surveillance or to execute payloads.

Reportedly, the new technique used in these Emotet-driven attacks involves installing the Cobalt Strike beacons, attempting to contact a remote domain, then uninstalling the beacons.

It’s still unclear if the new attack chain observed earlier this week was intentional, but it might have been a test performed by Emotet for network surveillance.

Earlier this year, Operation Ladybird, a joint operation between authorities in Germany, the Netherlands, the UK, the US, Lithuania, France, Canada, and Ukraine, with the help of Eurojust and Europol for international activity, disrupted the Emotet botnet.

As a result, more than 700 servers that were part of Emotet’s infrastructure were seized, and the FBI managed to collect millions of Emotet operator email addresses. Furthermore, the FBI offered millions of passwords to HIBP (Have I Been Pwned) to help alert afflicted users and companies.

tags


Author



Right now

Top posts

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

December 21, 2021

2 min read
Online Shoppers Beware, Mobile Scams Are on the Rise

Online Shoppers Beware, Mobile Scams Are on the Rise

December 17, 2021

2 min read
The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Millions of Routers and IOT Devices Vulnerable to Malware Code Uploaded to Github Millions of Routers and IOT Devices Vulnerable to Malware Code Uploaded to Github
Vlad CONSTANTINESCU

January 27, 2022

2 min read
Mac webcam hijack flaw wins man $100,500 from Apple Mac webcam hijack flaw wins man $100,500 from Apple
Graham CLULEY

January 27, 2022

2 min read
Do You Still Need VPN If You Use HTTPS? Do You Still Need VPN If You Use HTTPS?
Vlad CONSTANTINESCU

January 26, 2022

4 min read