Mid-November 2021 saw the Emotet botnet resurface and was widely reported. The botnet had been taken down by law enforcement agencies in January 2021 and had been inactive since then.
In the latest update, it has been reported that Emotet is using the Cobalt Strike pentesting tool to launch its ransomware attacks.
Threat actors leveraging Emotet were known to use TrickBot to send spam email chains with malicious attachments and links. In the past, TrickBot originated as a banking Trojan to steal sensitive financial information via brute-force attacks or credential harvesting.
In an earlier interaction with CISO MAG, Lotem Finkelstein, Director, Threat Intelligence and Research for Check Point Software Technologies, had opined, “Emotet is responsible for the explosion of targeted ransomware we have seen over the past three years and its comeback might lead to a further increase in such attacks. It is no surprise that Trickbot and its infrastructure are being used to deploy the newly resurgent Emotet. This will not only shorten the time it would take for Emotet to build a significant enough foothold in networks around the world but it is also a sign that, like in the old days, Trickbot and Emotet are united as partners in crime.”
And now, it is the Cobalt Strike tool that is being used as the new partner in crime. It was used to facilitate ransomware attacks by threat groups, and now it is bypassing the Trojans like TrickBot and directly accelerating the attack.
Heads up, we see #Emotet dropping new #CobaltStrike beacons on E4 bots.
Config: https://t.co/slNVHR2iUO https://t.co/nzvOJWc9V9
— Cryptolaemus (@Cryptolaemus1) December 8, 2021
Cobalt Strike Popular with Cybercriminals
Cobalt Strike is threat simulation software used by security experts and penetration testers to identify the potential risk of a data breach or cyberattack. Several security experts stated that threat actors leverage the Cobalt Strike tool for cybercriminal activities.
“Cobalt Strike, while used by security practitioners to ultimately thwart cybercrime, is now a common tool in the arsenal of cybercriminals. For now, most threat actors are relying on open-source methods for deployment and configuration, but we expect cybercriminals to begin to innovate and develop new tactics that defenders will have to adapt to. We expect these innovations particularly from those cybercriminal groups that are using the tool in targeted ransomware attacks,” a report from Intel 471 stated.
📌Emotet is the key loader for Conti based on our insights expect more from Emotet soon fueling ransomware via Cobalt Strike layer.
Here is the primer on why/how:https://t.co/mH1f0suSvZ https://t.co/P0ArRets1h
— Vitali Kremez (@VK_Intel) December 6, 2021
The Cobalt Strike tool is used to drop “beacons” as they execute remote surveillance on infected networks and can be used to facilitate ransomware attacks.
Beacon is Cobalt Strike’s payload to model an advanced actor. Beacon executes PowerShell scripts, logs keystrokes, takes screenshots, downloads files, and spawns other payloads.
We need to see what new actions the authorities will enforce to ensure the disruption of the Emotet botnet, before more news of these alarming ransomware attacks make it to the mainstream media.