U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Emotet directly drops Cobalt Strike beacons without intermediate Trojans

The Emotet malware continues to evolve, in the latest attacks, it directly installs Cobalt Strike beacons to give the attackers access to the target network. Emotet malware now directly installs Cobalt Strike beacons to give the attackers immediate access to the target network and allow them to carry out malicious activities, such as launching ransonware […]

emotet

The Emotet malware continues to evolve, in the latest attacks, it directly installs Cobalt Strike beacons to give the attackers access to the target network.

Emotet malware now directly installs Cobalt Strike beacons to give the attackers immediate access to the target network and allow them to carry out malicious activities, such as launching ransonware attacks.

In a classic attack chain, the Emotet malware would install the TrickBot or Qbot trojans on infected devices, which in turn would deploy Cobalt Strike on an infected system.

Emotet research group Cryptolaemus recently noticed a switch in the tactics of Emotet operators, which now are directly installing Cobalt Strike beacons on infected devices without installing the above intermediate Trojans.

Reducing the attack chain will allow the threat actors to rapidly move to the second stage of the attack, such as installing ransomware on the infected network.

A Flash Alert shared by security firm Cofense with Bleeping Computer confirms the new technique used in the attacks.

“While the Cobalt Strike sample was running, it attempted to contact the domain lartmana[.]com. Shortly afterward, Emotet uninstalled the Cobalt Strike executable.” reads the alert.

https://twitter.com/MalwareTechBlog/status/1468305592296951808

Cofense researchers speculate the new attack chain might have been a test, or even unintentional, anyway the researchers will continue to monitor the evolution of the tactics for Emotet operators.

Early this year, law enforcement and judicial authorities worldwide conducted a joint operation, named Operation Ladybird, which disrupted the EMOTET botnet. At the time the investigators have taken control of its infrastructure in an international coordinated action. 

This operation was the result of a joint effort between authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, with international activity coordinated by Europol and Eurojust.

The law enforcement agency was able to take over at least 700 servers used as part of the Emotet botnet’s infrastructure. The FBI collected millions of email addresses used by Emotet operators in their malware campaigns as part of the cleanup operation.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542. The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as ContiProLockRyuk, and Egregor.

In mid-November researchers from multiple cybersecurity firms ([Cryptolaemus], [GData], and [Advanced Intel]) reported that threat actors are using the TrickBot malware to drop an Emoted loader on infected devices. The experts tracked the campaign aimed at rebuilding the Emotet botnet using TrickBot’s infrastructure as Operation Reacharound.

Researchers from AdvIntel believe that the return will have a significant impact on the ransomware operations in the threat landscape, likely “the largest threat ecosystem shift in 2021” and beyond due to three reasons:

  1. Emotet’s unmatched continuous loader capabilities
  2. The correlation between these capabilities and the demanded of the contemporary cybercrime market
  3. The return of the TrickBot-Emotet-Ransomware triad resulted from the first two points.

The Emotet botnet was resurrected by its former operator, who was convinced by the Conti ransomware gang. The shutdown of the Emotet operation resulted in the lack of high-quality initial access brokers.

Qbot and TrickBot used Emotet’s service to deploy multiple ransomware strains, including ContiDoppelPaymerEgregorProLockRyuk, and others).

The vacuum left by Emotet shutdown urged its resurgence, for this reason, its return will have a major impact on the threat landscape.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]