The infamous Emotet virus is once again immediately installing itself, just in time for the holidays. For those unfamiliar with Emotet, it is one of the most common malware infestations, and it is propagated through phishing emails with harmful attachments. Once a device has been infected, Emotet has a history of stealing a victim’s email address to use in future campaigns and then dropping malware payloads like TrickBot and Qbot.
Threat actors often employ Cobalt Strike, a genuine pentesting tool, to spread laterally within an enterprise and finally distribute ransomware on a network. The threat actors quickly resumed their normal payload distribution after this brief test.
The Emotet threat actors halted their phishing activities last week, and experts have detected no more action from the organization since then. Cryptolaemus Emotet group’s Joseph Roosen said, “Spamming stopped last week on Thursday, and since then, they have been quiet with very little of ANYTHING going on until today.”
Meanwhile, Cryptolaemus is now advising that threat actors have started deploying Cobalt Strike beacons on devices infected by Emotet again as of today. Roosen revealed that Emotet is now downloading Cobalt Strike modules straight from its command and control server and running them on the compromised device.
Threat actors that employ Cobalt Strike beacons to propagate laterally through a network, steal files, and deliver malware will have quick access to infiltrated networks due to Emotet’s direct installation of them. Because enterprises now have limited staff to track for and respond to attacks, this access will speed up the deployment of attacks, and because it is before the holiday season, it could lead to a slew of breaches.
According to a public copy of the Cobalt Strike Beacon, the malware will interact with the attacker’s command and control servers using a fake ‘jquery-3.3.1.min.js’ file. The infection will attempt to download the jQuery file each time it connects with the C2, which will have a variable altered with new instructions each time, as indicated by the highlighted text in the figure below.
Because the majority of the file is valid jQuery source code with minor changes, it blends in with legitimate traffic and makes it simpler to get beyond security measures. The quick distribution of Cobalt Strike via Emotet is a critical development that all Windows and network administrators and security experts should know.
It is expected that, as a result of the increased dissemination of beacons to previously infected devices, we will witness a rise in corporate breaches and, eventually, ransomware operations immediately before or around the holidays.
