In an alarming move observed December 7th, Emotet has added dropping Cobalt Strike beacons before other trojans to its arsenal. This move significantly speeds up attacks, allowing groups to immediately install ransomware and other payloads on the victim network. The security research group Cryptolaemus published a thread on Twitter explaining their findings. In the thread, the group states that Emotet is no longer just commodity malware noise and that organizations should place this attack very high within their threat model
Emotet Directly Dropping Cobalt Strike
The potential speed of a full attack scenario now that a Cobalt Strike beacon is immediately dropped is worrisome to security researchers. A vigilant attacker may opt to install their final payload immediately after the beacon contacts the command-and-control server, eliminating time and noise. This makes detecting this activity more difficult. Organizations should review their defenses against Emotet and adjust detection strategies to maximize rate of detection. Binary Defense hosts a team of Threat Hunters dedicated to both targeted hunting and detection engineering to thwart attacks such as Emotet, among others. Together with their vSOC providing vigilant 24/7 coverage, businesses stand a much greater chance at mitigating these threats before exfiltration or encryption of sensitive data.
🚨🚨WARNING 🚨🚨 We have confirmed that #Emotet is dropping CS Beacons on E5 Bots and we have observed the following as of 10:00EST/15:00UTC. The following beacon was dropped: https://t.co/imJDQTGqxV Note the traffic to lartmana[.]com. This is an active CS Teams Server. 1/x
— Cryptolaemus (@Cryptolaemus1) December 7, 2021