Get in Touch
The recently-revived Emotet malware has been seen dropping Cobalt Strike directly onto victim machines. This marks a change in tactics from previous behaviour when it was used as a loader to drop other malware variants such as the TrickBot spyware. Cobalt Strike is a post-exploitation framework which would give a threat actor direct control over a victim’s machine.
Cobalt Strike is a full framework for post-exploitation activity. It has functionality for a range of different techniques which would be beneficial to an attacker. These include:
– command execution
– key logging
– file transfer
– network proxying
– privilege escalation
– port scanning
– lateral movement
Cobalt Strike Command and Control (C2) is highly reconfigurable.
The samples seen in use by Emotet use a configuration profile which sets the remote URI to:
This version of jquery does not appear to exist and therefore its appearance in web proxy logs would be a good indicator of malicious activity.
Indicators of Compromise
Emotet was one of the biggest botnets in the world until it was taken down by coordinated international law enforcement action at the start of this year. Since November there have been reports that the infrastructure is being rebuilt from scratch by piggybacking off of TrickBot. Their disappearance left a gap in the initial access market and some believe that the ransomware gang, Conti, may have encouraged the Emotet operators to rebuild.
T1566 – Spearphishing Attachment