Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flaws
New ransomware now being deployed in Log4Shell attacks
Microsoft fixes Windows AppX Installer zero-day used by Emotet
Log4j vulnerability now used by state-backed hackers, access brokers
Google Calendar now lets you block invitation phishing attempts
Microsoft: Khonsari ransomware hits self-hosted Minecraft servers
Gumtree classifieds site leaked personal info via the F12 key
Lenovo laptops vulnerable to bug allowing admin privileges
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Right in time for the holidays, the notorious Emotet malware is once again directly installing Cobalt Strike beacons for rapid cyberattacks.
For those not familiar with Emotet, it is considered one of the most widespread malware infections and is distributed through phishing emails that include malicious attachments.
Historically, once a device becomes infected, Emotet will steal a victim’s email to use in future campaigns and then drops malware payloads, such as TrickBot and Qbot.
However, earlier this month, Emotet began to test installing Cobalt Strike beacons on infected devices instead of their regular payloads.
Cobalt Strike is a legitimate pentesting tool that threat actors commonly use to spread laterally through an organization and ultimately deploy ransomware on a network.
This test was brief, and the threat actors soon went back to distributing their typical payloads.
Last week, the Emotet threat actors suspended their phishing campaigns, and since then, researchers have not seen any further activity from the group.
“Spamming stopped last week on Thursday, and since then, they have been quiet with very little of ANYTHING going on until today.” Joseph Roosen of the Cryptolaemus Emotet group told BleepingComputer.
However, Cryptolaemus is now warning that starting today, the threat actors have once again begun installing Cobalt Strike beacons to devices already infected by Emotet.
#Emotet E5 Update.  We are observing CS Beacons being dropped as of the last few minutes with the following C2 s://koltary[.]com/jquery-3.3.1.min.js. Watermark is one again “0”. Looks like someone finally sobered up and decided to do something with the new botnet. 1/x
Roosen told BleepingComputer that Emotet is now downloading the Cobalt Strike modules directly from its command and control server and then executing them on the infected device.
With Cobalt Strike beacons directly installed by Emotet, threat actors who use them to spread laterally through a network, steal files, and deploy malware will have immediate access to compromised networks.
This access will speed up the delivery of attacks, and with it being right before the holidays, it could lead to numerous breaches since enterprises now have limited staff to monitor for and respond to attacks.
In a sample of the Cobalt Strike beacon shared with BleepingComputer, the malware will communicate with the attacker’s command and control servers through a fake ‘jquery-3.3.1.min.js’ file.
Each time the malware communicates with the C2, it will attempt to download the jQuery file, which will have a variable changed with new instructions each time, as shown by the highlighted text in the image below.
As most of the file is legitimate jQuery source code, and only some content is changed, it blends into legitimate traffic and makes it easier to bypass security software.
The rapid deployment of Cobalt Strike through Emotet is a significant development that should be on the radars of all Windows and network admins and security professionals.
With this increased distribution of beacons to already infected devices, it is anticipated that we will see an increased number of corporate breaches and ultimately ransomware attacks right before or during the holidays.
Emotet now drops Cobalt Strike, fast forwards ransomware attacks
Microsoft: These are the building blocks of QBot malware attacks
TrickBot teams up with Shatak phishers for Conti ransomware attacks
Malicious Excel XLL add-ins push RedLine password-stealing malware
Emotet now spreads via fake Adobe Windows App Installer packages
Not a member yet? Register Now
Log4j: List of vulnerable products and vendor advisories
Hackers steal Microsoft Exchange credentials using IIS module
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.