1 min read

Emotet Deploys Cobalt Strike Beacons Directly onto Targets with New Technique


December 09, 2021

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Emotet Deploys Cobalt Strike Beacons Directly onto Targets with New Technique

Cybercriminals can now gain instant access to networks compromised by the infamous Emotet malware by installing Cobalt Strike beacons directly on infected machines, a security report revealed this week.

Emotet research group Cryptolaemus has confirmed that, instead of taking the regular route of dropping Cobalt Strike beacons through intermediate QakBot or TrickBot payloads, Emotet now deploys the beacons directly onto compromised devices.

In a typical attack, users would have a more generous timeframe of about a month between the initial infection and ransomware. However, with Emotet skipping the middleman, the delay is likely to be shorter or even non-existent.

Until now, Emotet would only deploy certain trojans onto the targeted devices, such as QBot or TrickBot, which would then let the cybercriminals drop Cobalt Strike beacons or carry out other harmful operations on the systems.

Emotet, deemed one of the most dangerous malware strains in the world, spreads mainly through spam emails, macro-enabled Word or Excel documents, and malicious scripts and links.

Even though Cobalt Strike has been historically used as a legitimate penetration testing solution, threat actors have been using cracked versions to deploy beacons on vulnerable devices for various malicious purposes, such as unauthorized remote network surveillance or to execute payloads.

Reportedly, the new technique used in these Emotet-driven attacks involves installing the Cobalt Strike beacons, attempting to contact a remote domain, then uninstalling the beacons.

It’s still unclear if the new attack chain observed earlier this week was intentional, but it might have been a test performed by Emotet for network surveillance.

Earlier this year, Operation Ladybird, a joint operation between authorities in Germany, the Netherlands, the UK, the US, Lithuania, France, Canada, and Ukraine, with the help of Eurojust and Europol for international activity, disrupted the Emotet botnet.

As a result, more than 700 servers that were part of Emotet’s infrastructure were seized, and the FBI managed to collect millions of Emotet operator email addresses. Furthermore, the FBI offered millions of passwords to HIBP (Have I Been Pwned) to help alert afflicted users and companies.




Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.

View all posts

You might also like