The notorious Emotet malware is now directly installing Cobalt Strike beacons for rapid cyberattacks, rather than dropping an intermediate payload first.
Attackers are using Cobalt Strike, a legitimate penetration testing tool, to spread laterally through a firm and deploy ransomware on their network. Earlier this month, the malware started analyzing the installation of Cobalt Strike beacons instead of conventional payloads on exploited devices. The test was short and soon after the attackers returned to distributing their typical payloads.
According to researchers, the attackers using Emotet suspended their phishing and spamming campaigns and since then, they have been quiet. However, researchers believe the attackers are installing Cobalt Strike beacons on already compromised devices. They install the Cobalt Strike modules straight from their command-and-control (C2) server and then execute the modules on the infected devices.
Installing Cobalt Strike directly eliminates the time between initial infection and subsequent installation of the pen testing tool, giving victims less time to detect and mitigate the infection prior to the execution of ransomware.
The malware communicates with the attacker’s command and control servers via a fake ‘jquery-3.3.1.min.js’ file in a sample of the Cobalt Strike beacon provided with BleepingComputer. Each time the malware interacts with the C2, it will attempt to download the jQuery file, which will have a variable changed with new instructions.
As most of the file is valid jQuery source code, and only some content is changed, it blends into legitimate traffic and makes it easier to evade security software. The quick deployment of Cobalt Strike via Emotet is an important development that should be noted by all Windows and network administrators, as well as security specialists.
In previous attacks, defenders had more time to spot the presence of Emotet or Trickbot, or QakBot and remediate before the ransomware infection took place. But now, the timeline is compressed and the chances of identifying and removing Emotet or the Cobalt Strike beacon before a ransomware infection are much lesser.
“The old Emotet also used a multilayer communication protocol for all communication performed by the infected victim and the C2. However, the old protocol required the loader to also enumerate the victim’s process list, which was sent to the C2 during check-in. New Emotet strips out this process checking functionality from initial check-in and places it into a new module focused on process list checking,” researchers at Intel 471 stated.