Right in time for the holidays, the notorious Emotet malware is once again directly installing Cobalt Strike beacons for rapid cyberattacks. For those not familiar with Emotet, it is considered one of the most widespread malware infections and is distributed through phishing emails that include malicious attachments.

Priory, once a device becomes infected; Emotet will seize a victim’s email to utilize in future operations and then drops malware payloads, like TrickBot and Qbot. However, earlier this month, Emotet start to test installing Cobalt Strike beacons on the infected devices instead of their constant payloads.

Cobalt Strike is a legitimate pentesting tool that the attackers commonly utilize to spread laterally through an organization and ultimately set up the ransomware on a network.

This test was brief, and the attacker soon went back to distributing their typical payloads.

Emotet Resumes Cobalt Strike Installs

In the previous week, the Emotet attackers suspended their phishing operations, and since then, investigators have not seen any further activity from the group. “Spamming stopped last week on Thursday, and since then, they have been quiet with very little of ANYTHING going on until today.

However, Cryptolaemus is now alerting that starting today; the attackers have once again begun installing Cobalt Strike beacons to devices already infected by Emotet.

Roosen told our experts that Emotet is now downloading the Cobalt Strike modules directly from its command and Cobalt Strike modules directly from its command and control server and then executing them on the affected devices.

With Cobalt Strike beacons directly installed by Emotet, attackers who utilize them to spread laterally through a network hijack files, and set up malware will have immediate access to negotiate networks.

This access will speed up the delivery of attacks, and with it being right before the holidays, it could lead to numerous breaches since enterprises now have limited staff to monitor for and respond to attacks.

C2 communications Unrecognized as jQuery

In a sample of the Cobalt Strike beacon shared with our experts, the malware will communicate with the attacker’s command and control servers through a fake ‘jquery-3.3.1.min.js’ file. Each time the malware communicates with the C2, it will attempt to download the jQuery file, which will have a variable changed with new instructions each time, as shown by the highlighted text in the image below:    

As most of the file is legitimate jQuery source code, and only some content is changed, it blends into legitimate traffic and makes it easier to bypass security software. The rapid deployment of Cobalt Strike through Emotet is a significant development that should be on the radars of all Windows and network admins and security professionals.

With this increased distribution of beacons to already infected devices, it is anticipated that we will see an increased number of corporate breaches and ultimately ransomware attacks right before or during the holidays.