Home / About / Threat Intelligence / Emotet Botnet Dropping Cobalt Strike

Overview

The recently-revived Emotet malware has been seen dropping Cobalt Strike directly onto victim machines. This marks a change in tactics from previous behaviour when it was used as a loader to drop other malware variants such as the TrickBot spyware. Cobalt Strike is a post-exploitation framework which would give a threat actor direct control over a victim’s machine.

Impact

Cobalt Strike is a full framework for post-exploitation activity. It has functionality for a range of different techniques which would be beneficial to an attacker. These include:

– command execution
– key logging
– file transfer
– network proxying
– privilege escalation
– mimikatz
– port scanning
– lateral movement

Detection

Cobalt Strike Command and Control (C2) is highly reconfigurable.
The samples seen in use by Emotet use a configuration profile which sets the remote URI to:

HttpPostUri:
`/jquery-3.3.2.min.js`

This version of jquery does not appear to exist and therefore its appearance in web proxy logs would be a good indicator of malicious activity.

Indicators of Compromise

domain
lartmana[.]com

MD5
63ab5d17585a8734d643324e2a8fa90e
SHA1
a02e0dbcfb20c3f5f2e8965f6b4dbe31928bee7b
SHA256
5b5fa30bf12f13f881708222824517d662f410b212a0f7f7ce5c611fd809f809

Threat Landscape

Emotet was one of the biggest botnets in the world until it was taken down by coordinated international law enforcement action at the start of this year. Since November there have been reports that the infrastructure is being rebuilt from scratch by piggybacking off of TrickBot. Their disappearance left a gap in the initial access market and some believe that the ransomware gang, Conti, may have encouraged the Emotet operators to rebuild.

Mitre Methodologies

S0154 – Cobalt Strike
S0266 – TrickBot
S0367 – Emotet

T1566 – Spearphishing Attachment

Further Information

Cryptolaemus on Twitter
C2 profile