Since the reappearance of Emotet last month following the law enforcement takedown of the botnet in January, researchers have noticed several key modifications to the malware and its behavior. But the biggest change came this week when researchers discovered that Emotet is now installing Cobalt Strike beacons directly, rather than dropping an intermediate payload first.
Historically, Emotet has been distributed through malicious documents attached to spam messages, and once installed, the malware typically drops another payload such as Trickbot or QakBot. Those intermediate payloads often then install a Cobalt Strike beacon, which is used as a persistence mechanism. The end result of many of these infections is the installation of ransomware, and the time from initial infection by Emotet to the ultimate ransomware event can be weeks. But now that Emotet is installing Cobalt Strike beacons directly, that window could shrink significantly, making the threat of ransomware infections all the more serious.
In the previous infection flow, defenders had more time to detect the presence of Emotet or Trickbot or QakBot and remediate before the ransomware infection took place. But now, the timeline is compressed and the chances of discovering and removing Emotet or the Cobalt Strike beacon before a ransomware infection are lower.
In addition to the direct installation of Cobalt Strike beacons, researchers have also seen several other changes in Emotet recently. In the 10 months following the takedown of Emotet in January, Emotet was relatively quiet, but not completely gone. In November, the Emotet botnet resurfaced fully and researchers have been noticing subtle differences in the samples installed on infected machines since then. The newer versions use a different encryption scheme than the older ones, swapping in elliptic curve cryptography rather than RSA. There are also some changes to the protocols used to communicate with the command-and-control servers.
“The old Emotet also used a multilayer communication protocol for all communication performed by the infected victim and the C2. However, the old protocol required the loader to also enumerate the victim’s process list, which was sent to the C2 during check-in. New Emotet strips out this process checking functionality from initial check-in and places it into a new module focused on process list checking,” researchers at Intel 471 said.
“A new addition to the Emotet protocol requirements and Emotet module list, the process checking module is sent to the bot after the C2 receives the bot’s initial check-in. This module exclusively grabs the infected victim’s process list, which is sent back to the C2.”
Check Point Research has identified more than 140,000 Trickbot-infected machines since the Emotet takedown, and given the close relationship between Trickbot and Emotet in the past, those machines seem like prime targets for Emotet’s new campaigns.
“The newly Emotet infected machines began spreading once again, by a strong malspam campaign promoting users to download password protect zip files, which contained malicious documents that once ran and macros are enabled infects the computer with Emotet, causing the infection cycle to repeat and enabling Emotet to rebuild its botnet network. Emotet could not choose a better platform than Trickbot as a delivery service when it came to Emotet’s rebirth question,” Check Point Research said.
“Since we spotted the Emotet comeback in November, we observed a volume of its activity which is at least 50% of the level we saw in January 2021, before Emotet had been taken down. This upwards trend continues throughout December as well.”
Emotet is not a singular botnet, but is actually several separate networks that each have their own C2 servers, spam campaigns, and other infrastructure. The networks are identified as Epoch1, Epoch2, and so on, and most recently Epoch4 and Epoch5 have been installing Cobalt Strike beacons directly on infected computers.