Emotet Needs No Intermediate Trojan, Drops Cobalt Strike Beacons Directly

You are currently viewing Emotet Needs No Intermediate Trojan, Drops Cobalt Strike Beacons Directly

 

What is Emotet?

Emotet is a Trojan horse that is disseminated mostly through spam emails (malspam). Malicious scripts, macro-enabled document files, and malicious links are all possible ways to get infected. Emotet emails may have familiar branding to make them appear real.

Emotet is a type of computer malware that was originally designed as a financial Trojan. The purpose was to gain access to foreign devices and eavesdrop on private information. Emotet has been known to trick and hide from basic antivirus applications.

Why Emotet is in news?

The infamous Emotet malware, like Arnold Schwarzenegger’s Terminator, is back infecting computers all over the world, putting businesses in danger of ransomware assaults. Its infrastructure has grown dramatically, and analysts predict that the malware will be the most significant change in the security landscape by 2021. A worrying development in Emotet’s life has been seen recently.

Check Point researchers recently reported seeing Emotet samples being dumped on systems that had previously been infected with Trickbot, a banking Trojan-turned-malware-downloader. The new Emotet malware first appeared on Nov. 15, roughly ten months after law enforcement authorities shut down the company’s infrastructure in a multi-country operation.

The volume of Emotet malware discovered by Check Point has increased daily since Nov. 15, and is currently at least half of what it was before the January 2021 takedown. Trickbot and malicious spam messages sent from infected systems to other computers around the world are both used to spread the infection. The spam emails aim to persuade recipients to open a password-protected zip file containing malicious documents, which, when opened, infects the computer with Emotet.

In the past, Emotet would install either TrickBot or Qbot on infected devices. Cobalt Strike was eventually installed by these trojans. Emotet has changed its strategy, avoiding the main malware payload and instead installing Cobalt Strike beacons directly on compromised systems.

What is the significance of Emotet?

Because of how closely it was linked to ransomware assaults before the January takedown, the malware’s reappearance is concerning for businesses. Emotet is a malicious programme that harvests email addresses, steals credentials, distributes spam, allows lateral movement, downloads other malware (including Trickbot), and performs other dangerous actions.

Attackers will have rapid access to a network because the initial payloads of TrickBot and Qbot are skipped. They have the ability to spread laterally, deploy ransomware quickly, and steal data. Cobalt Strike’s quick deployment is expected to hasten the spread of ransomware, particularly in the case of the Conti ransomware gang, which persuaded Emotet to recommence its operations. In their flash notice, Cofense experts theorised that the new attack chain could be a test or possibly inadvertent.

Before being taken offline in January, its operators’ business strategy was to infect networks and then sell network access to other threat actors, most notably ransomware operators, according to Lotem Finkelstein, Check Point’s head of threat intelligence. Check Point is the latest security company to issue a warning about Emotet’s reappearance. Deep Instinct reported on the malware’s reappearance last month and evaluated some of its changes, including new tactics for downloading and evasion.

Emotet has been resurrected

GData, Advanced Intel, and Cryptolaemus researchers discovered new alterations in the newest Emotet variant dropped by TrickBot.

Multiple execution choices are available in the new version, as well as a revised command buffer with seven instructions.

Emotet was recently discovered spreading on Windows 10 and 11 via malicious Windows App Installer packages. The attack took use of stolen reply-chain emails that appeared to be replies to previous conversations.

The effectiveness of Emotet’s partnership with the people behind Trickbot — a highly modular malware family that began as a banking Trojan in 2016 but is now extensively utilised to disseminate malware — is also a testimonial to the success of Emotet’s reappearance. In October 2020, law enforcement agencies attempted to interrupt the Trickbot operation with a big operation, but it continues to operate as before. Check Point discovered that Trickbot was the most widespread malware in May, June, and October of this year, infecting over 140,000 systems globally in the previous 11 months.

 

Leave a Reply