Chris Swagler | December 20th, 2021

Emotet Cobalt Strike

The notorious Emotet malware is again installing Cobalt Strike directly for rapid cyberattacks just in time for the holidays. Emotet is one of the most widespread malware infections distributed through phishing emails with malicious attachments. Emotet typically steals a victim’s email for future campaigns after infecting the device and dropping malware payloads, such as TrickBot and Qbot. However, instead of their regular payloads, Emotet is now testing Cobalt Strike beacons on infected devices. Threat actors use Cobalt Strike, a legitimate penetration testing tool, to spread laterally through a company and deploy ransomware on their network. The test was short and soon after the threat actors returned to distributing their typical payloads.

According to researchers, the threat actors using Emotet suspended their phishing and spamming campaigns and haven’t engaged in recent activity. However, researchers issued a warning that the Emotet threat actors are installing Cobalt Strike deacons on already infected devices. They download the Cobalt Strike modules directly from their command-and-control (C2) server and then execute the modules on the infected devices. Emotet uses the installed Cobalt Strike beacons to spread laterally through the network, steal files, and deploy malware for immediate access to compromised networks. The access speeds up the attack delivery process and could lead to numerous breaches, especially with enterprises having limited staff to monitor for and respond to attacks.

The malware communicates with Emotet’s command and control servers using a fake ‘jquery-3.3.1.min.js’ file. Every time the malware communicates with the C2, it attempts to download the jQuery file, changing the variable by initiating new instructions. Most of the file is legitimate jQuery source code with minor content changes, which blends with standard traffic and makes it easier to bypass security software and avoid detection.

The rapid development of Cobalt Strike through Emotet is an important development that all Windows and network administrators and security professionals should observe closely. With the increased number of beacons distributed to already infected devices, an increase in corporate breaches that eventually lead to ransomware attacks is anticipated right before or during the holidays. That’s why it’s important for companies to remain vigilant with the current threat landscape and regularly update their network’s security posture.

At SpearTip, we specialize in rapid incident response capabilities and handling security breaches with one of the fastest response times in the industry so we can help companies reclaim their network and restore operations. Our certified engineers work 24/7 at our Security Operations Centers, monitoring your networks for potential threats, like Emotet, and quickly responding to incidents at a moment’s notice. Our ShadowSpear Platform, an unparalleled endpoint detection and response tool, is a valuable resource that optimizes visibility and enhances overall cyber posture preventing cyber threats from impacting your company.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.