Emotet Tactic May Presage More Rapid Ransomware InfectionsVenerable Malware Now Rapidly Loading Cobalt Strike Beacons Onto Infected Endpoints
Notorious Emotet malware has been dropping an advanced network penetration tool directly onto infected endpoints, in a likely bid to more rapidly infect them with ransomware, some experts warn.
Malware research group Cryptolaemus on Wednesday announced that it's been seeing Emotet infecting systems and then immediately acting as a loader to install Cobalt Strike penetration-testing software onto the endpoints.
Cryptolaemus says the Emotet-infected PCs connect to a command-and-control - aka C2 - server with the code name Epoch 5. Specifically, it says this E5 server has been pushing onto infected endpoints payload software, known as beacons, which communicate with a Cobalt Strike Team's C2 server.
WARNING We have confirmed that #Emotet is dropping CS Beacons on E5 Bots and we have observed the following as of 10:00EST/15:00UTC. The following beacon was dropped: https://t.co/imJDQTGqxV Note the traffic to lartmana[.]com. This is an active CS Teams Server. 1/x— Cryptolaemus (@Cryptolaemus1) December 7, 2021
Security firm Cofense told Bleeping Computer, which first reported on this development, that it too has seen some Emotet infections drop Cobalt Strike, only to remove it later.
"Emotet itself gathers a limited amount of information about an infected machine, but Cobalt Strike can be used to evaluate a broader network or domain, potentially looking for suitable victims for further infection such as ransomware," Cofense told Bleeping Computer.
Malware expert Marcus Hutchins said such tactics are an unwelcome development, because they could mean decreased time for defenders to spot and respond to attacks before ransomware gets unleashed.
"This is a big deal," Hutchins tweeted. "Typically Emotet dropped TrickBot or QakBot, which in turn dropped Cobalt Strike. You'd usually have about a month between first infection and ransomware. With Emotet dropping CS directly, there's likely to be a much, much shorter delay."
Offering: Loader as a Service
Emotet refers to both "a loader botnet and a criminal syndicate managing this botnet using a loader-as-a-service model," says threat-intelligence firm Advanced Intelligence. "This means that Emotet offers the capabilities of a loader to deliver the payload of its customer."
The Justice Department has said that individuals infected with Emotet are often unaware. "The computers infected with Emotet malware are part of a botnet (i.e., a network of compromised computers), meaning the perpetrators can remotely control all the infected computers in a coordinated manner," DOJ said. "The owners and operators of the victim computers are typically unaware of the infection."
The EU's law enforcement agency, Europol, has described Emotet as being "one of the most professional and long-lasting cybercrime services." Early this year, FBI Special Agent in Charge Robert R. Wells of the FBI's field office in Charlotte, North Carolina, said that since 2017, Emotet had been "one of the top cyberthreats in the world."
But in January, as part of "Operation Ladybird," an international coalition of law enforcement agencies disrupted Emotet's infrastructure. The effort included instructing Emotet botnets to update the software on infected endpoints with a file created by law enforcement agencies to eliminate criminals' access to those systems. "The law enforcement file does not remediate other malware that was already installed on the infected computer through Emotet; instead, it is designed to prevent additional malware from being installed on the infected computer by untethering the victim computer from the botnet," the DOJ said at the time.
As part of the takedown effort, law enforcement agencies in Canada, France, Germany, the Netherlands, the U.K. and the U.S. targeted Emotet's infrastructure, backed by investigative assistance from Lithuania, Sweden and Ukraine, and coordination from Europol.
Unfortunately, such takedowns typically prove temporary, unless police have been able to arrest everyone involved and no one else holds a copy of the code used to create and maintain the malicious infrastructure or generate spam files and malicious executables.
Indeed, after Emotet was disrupted in January, it reappeared last month, sporting numerous updates, including better loader-type features, threat intelligence firm Intel 471 says in a Thursday report.
The latest version features "a spam module, email credential stealer, Outlook email address harvester, browser credential stealer," and web injection capabilities - to spoof legitimate banking and other sites - as well as "a module that allowed for brute-forcing credentials and lateral movement," Intel 471 says.
The criminal group that maintains Emotet has also been using previously seen tactics to distribute the malware, Intel 471 says. One recent Emotet campaign, for example, has been sending malicious spam with a .zip file attached that contains a Microsoft Word document with malicious macros. If the recipient falls for the ruse and enables macros, the Word document will download an Emotet loader and execute it.
Past Emotet distribution campaigns have featured fake PayPal receipts, shipping notifications, or "past-due" invoices to trick recipients into opening malicious attachments, the U.S. Cybersecurity and Infrastructure Security Agency says in an Emotet alert.
Prior to Emotet's takedown in January by a multinational group of law enforcement agencies, security experts say three different Emotet botnets - Epoch 1, 2 and 3 - were being used to distribute and control the malware. Since Emotet's reappearance around Nov. 14, researchers have been tracking two new Emotet botnets: Epoch 4 and 5.
Strategic Criminal Partnerships: Back in Vogue?
AdvIntel says Emotet's November return appears to have been at the request of the Conti ransomware operation. The offshoot of the Ryuk group, it says, has been seeking new tactics to distribute its crypto-locking malware, following the decline of the ransomware-as-a-service - aka RaaS - model since this past summer.
"It was the former Ryuk members who were able to convince former Emotet operators to set up a back end and a malware builder from the existing repository project to return to business, in order to restore the TrickBot-Emotet-Ryuk triad," AdvIntel's Yelisey Boguslavskiy and Vitali Kremez say in a recent report.
The combination of Emotet, Ryuk and TrickBot was previously described by Intel 471 as a "loader-ransomware-banker trifecta," which over a two-year period was tied to "millions of dollars in damages and ransoms paid."
But AdvIntel said that approach was challenged by the RaaS model, which helped ransomware operations reach record profits by providing their malware to independent affiliates and sharing profits.
Many of these ransomware groups, however, appear to have overreached after hitting such targets as Ireland's national health service, a major U.S. pipeline, and the world's largest meat packager. Those attacks sparked a furious response from many governments and led to some military and intelligence agencies being tasked with actively tracking and disrupting these groups.
"In the spring and summer of 2021, most of the major ransomware-as-a-service groups, including REvil, DarkSide, Avaddon, BlackMatter, Babuk and others, quit the criminal market," AdvIntel says. "Remaining groups such as LockBit and Hive faced a major decline in payments from victims due to extensive use of backups and more advanced defenses."
This vacuum appears to have inaugurated a return to "long-term strategic criminal partnerships between top-tier organized crime groups," AdvIntel says, including the apparent rebooting of Emotet at Conti's request. In another tactical shift, based on cybercrime forum posts and leaks by unhappy contractors, Conti also appears to have been hiring relatively low-skilled affiliates and paying them a flat fee rather than a cut of every ransom paid by a victim.
Beyond Emotet, the return of Trickbot also remains a cause for concern, experts say. "Trickbot was one of the most massive botnets in 2020, only outmatched by Emotet," say researchers at Check Point Software in a report published Wednesday.
"In an effort to take down Trickbot, different vendors worked together to take down 94% of core servers crucial for Trickbot operations in October 2020," they say. But like Emotet, Trickbot returned, and it was the most active botnet in May, June and September of this year, according to the researchers, who say that in the past 11 months, they've counted at least 140,000 Trickbot-infected endpoints.