As we all know by now, Emotet has made a comeback on the shoulders of TrickBot and is back to being a massive threat again. Its infrastructure has witnessed a huge growth and experts surmise that the malware will bring the largest shift in the 2021 threat landscape. Now, a concerning development in the life of Emotet has been observed.

What’s going on?

Conventionally, Emotet would install either TrickBot or Qbot on compromised devices. These trojans would eventually install Cobalt Strike. Now, Emotet has been observed changing its tactic by skipping the primary malware payload and directly installing Cobalt Strike beacons on infected systems. 

Why this matters

As the initial payloads of TrickBot and Qbot are skipped, attackers will have immediate access to a network. They can propagate laterally, quickly deploy ransomware, and steal data. The rapid deployment of Cobalt Strike is expected to speed up the deployment of ransomware, especially in the case of the Conti ransomware gang who convinced Emotet to restart its business. Cofense researchers, in their flash alert, speculated that the new attack chain might be a test or even unintentional. 

The resurrection of Emotet

Researchers from GData, Advanced Intel, and Cryptolaemus spotted new changes in the latest Emotet variant that was being dropped by TrickBot. 
The new version has got multiple execution options and a changed command buffer that offers seven commands.
Recently, Emotet was found spreading via malicious Windows App Installer packages in Windows 10 and 11. The campaign leveraged stolen reply-chain emails that seem to be a reply to an existing conversation.

The bottom line

Emotet’s resurfacing and the subsequent tactic change are portents of larger ransomware attacks. With the new change in tactic, Emotet has reduced the time between infection and eventual ransomware deployment. However, experts are unsure of the motives of the threat actors behind this shift and will continue monitoring the development.

Cyware Publisher