The researchers warn that Emotet now directly installs Cobalt Strike beacons on infected systems, providing immediate access to the network for attackers. Those can use it for lateral movement, which will greatly facilitate extortion attacks.
Let me remind you that usually Emotet installs TrickBot or Qbot malware on the victim’s machines, and that one already deploys Cobalt Strike and performs other malicious actions. Now, the Cryptolaemus research group has warned that Emotet skips the installation of TrickBot or Qbot and directly installs Cobalt Strike beacons on infected devices.
Cryptolaemus is a group of more than 20 information security specialists from all over the world, who united back in 2018 for a common goal – to fight against Emotet malware.
This information was confirmed to the journalists of Bleeping Computer by the specialists of the information security company Cofense.
While Cobalt Strike was trying to contact the lartmana[.]сom domain, and shortly thereafter, Emotet was deleting the Cobalt Strike executable.”
In fact, this means that attackers now have immediate access to the network for lateral movement, data theft, and rapid ransomware deployment. The rapid deployment of Cobalt Strike is expected to speed up the deployment of ransomware on compromised networks as well.
Cofense experts, in turn, report that it is not yet clear whether what is happening is a test of the Emotet operators themselves, or if it is part of a chain of attacks by another malware that cooperates with the botnet.
Let me remind you that I also reported that Trojan Emotet is trying to spread through available Wi-Fi networks.