Emotet goes for the jugular; skips trojan payload in favor of direct Cobalt Strike installation

Published 12/16/21, 9:00am

Consistent with reports that the notorious botnet known as Emotet was making a comeback, security researchers have discovered that the malware is now installing Cobalt Strike beacons directly onto infected systems. This has the effect of giving threat actors instant access to infiltrated systems, suggesting the intention of imminent ransomware attacks.

Prior to Emotet’s shutdown in January 2021, the botnet would install TrickBot or Qbot trojans on infected devices, which would, in turn, deploy Cobalt Strike. However, now it appears that Emotet is skipping the trojan payload in favor of a direct Cobalt Strike installation. Cobalt Strike can be used to gather intel on the infected device, including evaluating the overall network or domain and identifying other victims for additional infections, which helps facilitate speedier delivery of the payload—often ransomware.

Security researchers believe that the resurgence of Emotet is a strong indicator of impending ransomware attacks.

Next Steps

Ransomware is a significant threat that continues to grow. Mitigation steps include: 

• Regularly backup all data on air-gapped, password-protected systems offline. 
• Implement multifactor authentication (MFA).
• Apply the principle of least privilege.
• Periodically review network access for all employees and delete old or inactive accounts.
• Regularly review logs and engage in other types of system scanning for indications of unauthorized access or modifications.
• Segment networks for better management.
• Regularly update security software on all systems and enable real time detection.
• Update/patch all systems and software quickly.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.