In a worrying step, the well-known Emotet malware now immediately installs Cobalt Strike beacons, enabling threat actors quick network access and making ransomware attacks more likely. In the past, Emotet would infect compromised devices with the TrickBot or Qbot trojans. These Trojans would eventually install Cobalt Strike or carry out other destructive actions on an affected device.
Cobalt Strike is a legal penetration testing toolset that lets attackers place “beacons” on infected machines to conduct remote network surveillance or execute instructions. However, threat actors that employ pirated copies of Cobalt Strike as part of their network breaches love it, and it’s extensively used in ransomware attacks.
Cryptolaemus, an Emotet research organization, has stated that Emotet is now directly installing Cobalt Strike beacons on affected devices instead of their core malware payload of TrickBot or Qbot. A small amount of Emotet infections installed Cobalt Strike, attempted to contact a remote domain, and then were removed, according to a Flash Alert issued by email security firm Cofense. According to the Flash Alert:
“Emotet itself gathers a limited amount of information about an infected machine, but Cobalt Strike can be used to evaluate a broader network or domain, potentially looking for suitable victims for further infection such as ransomware.”
“While the Cobalt Strike sample was running, it attempted to contact the domain lartmana[.]com. Shortly afterward, Emotet uninstalled the Cobalt Strike executable.”
This is a significant shift in strategy since victims often had some time to notice the infection after Emotet placed its primary payload of TrickBot or Qbot before Cobalt Strike was released. Threat actors will have rapid access to a network to propagate laterally, steal data, and swiftly distribute ransomware now that these early malware payloads have been bypassed.
Cobalt Strike’s quick deployment will almost certainly hasten the spread of ransomware on infected networks. This is notably true of the Conti ransomware group, which persuaded the operators of Emotet to relaunch after being shut down by law authorities in January.
According to Cofense, it’s unknown whether this is a test or whether it’s part of an attack chain for other malware families that operate with the botnet. Researchers will keep a careful eye on this new development.