1 min read

Emotet Deploys Cobalt Strike Beacons Directly onto Targets with New Technique

Vlad CONSTANTINESCU

December 09, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Emotet Deploys Cobalt Strike Beacons Directly onto Targets with New Technique

Cybercriminals can now gain instant access to networks compromised by the infamous Emotet malware by installing Cobalt Strike beacons directly on infected machines, a security report revealed this week.

Emotet research group Cryptolaemus has confirmed that, instead of taking the regular route of dropping Cobalt Strike beacons through intermediate QakBot or TrickBot payloads, Emotet now deploys the beacons directly onto compromised devices.

In a typical attack, users would have a more generous timeframe of about a month between the initial infection and ransomware. However, with Emotet skipping the middleman, the delay is likely to be shorter or even non-existent.

Until now, Emotet would only deploy certain trojans onto the targeted devices, such as QBot or TrickBot, which would then let the cybercriminals drop Cobalt Strike beacons or carry out other harmful operations on the systems.

Emotet, deemed one of the most dangerous malware strains in the world, spreads mainly through spam emails, macro-enabled Word or Excel documents, and malicious scripts and links.

Even though Cobalt Strike has been historically used as a legitimate penetration testing solution, threat actors have been using cracked versions to deploy beacons on vulnerable devices for various malicious purposes, such as unauthorized remote network surveillance or to execute payloads.

Reportedly, the new technique used in these Emotet-driven attacks involves installing the Cobalt Strike beacons, attempting to contact a remote domain, then uninstalling the beacons.

It’s still unclear if the new attack chain observed earlier this week was intentional, but it might have been a test performed by Emotet for network surveillance.

Earlier this year, Operation Ladybird, a joint operation between authorities in Germany, the Netherlands, the UK, the US, Lithuania, France, Canada, and Ukraine, with the help of Eurojust and Europol for international activity, disrupted the Emotet botnet.

As a result, more than 700 servers that were part of Emotet’s infrastructure were seized, and the FBI managed to collect millions of Emotet operator email addresses. Furthermore, the FBI offered millions of passwords to HIBP (Have I Been Pwned) to help alert afflicted users and companies.

tags


Author



Right now

Top posts

How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

SIM Swapper Involved in $22 Million Crypto Heist Sentenced to 18 Months in Prison SIM Swapper Involved in $22 Million Crypto Heist Sentenced to 18 Months in Prison
Vlad CONSTANTINESCU

December 05, 2022

1 min read
Hive Social Taken Offline as ‘Critical Vulnerabilities’ Could Expose Private Messages, Other Data Hive Social Taken Offline as ‘Critical Vulnerabilities’ Could Expose Private Messages, Other Data
Filip TRUȚĂ

December 05, 2022

1 min read
Malicious Actors Exploit TikTok ‘Invisible Challenge’ to Steal Users’ Info Malicious Actors Exploit TikTok ‘Invisible Challenge’ to Steal Users’ Info
Alina BÎZGĂ

December 02, 2022

2 min read