While monitoring current Emotet botnet activity, security researchers discovered that the Quantum and BlackCat ransomware gangs are now using the malware to deploy their payloads.

This is an interesting development given that cybercrime syndicate Conti was the one that previously used the botnet before switch off in June.

The Conti group is the one that orchestrated his return in November after international law enforcement action shot down The Emotet Framework early 2021.

“The Emotet (also known as SpmTools) botnet has fueled major cybercriminal groups as an initial attack vector, or precursor, for many ongoing attacks,” security researchers at the intelligence firm said. AdvIntel. said.

“From November 2021 until Conti was disbanded in June 2022, Emotet was a Conti ransomware exclusive tool, however, the Emotet infection chain is currently attributed to Quantum and BlackCat.”

The botnet is now being used to install a Cobalt Strike beacon on infected systems as a second-stage payload, according to AdvIntel, allowing attackers to move laterally and deploy ransomware payloads to the victim’s network.

This matches Conti’s attack flow which included Emotet after his revival, minus the initial access vector via the TrickBot botnet.

AdvIntel says Emotet has inflicted a lot of damage year-to-date as it has tracked more than 1,200,000 Emotet-infected systems worldwide, with activity peaking between February and March.

Emotet infections in 2022
Emotet infections in 2022 (AdvIntel)

AdvIntel’s assessment was confirmed in June by ESET who said they had detected a massive increase in Emotet activity since the beginning of the year, “more than 100 times higher than that of Q3 2021”.

Agari also revealed in August that the botnet has seen a significant increase in the second quarter, replacing QBot in phishing campaigns, collectively accounting for more than 90% of all malware that landed in its customers’ inboxes.

The emoticon The malware was first deployed in attacks as a banking Trojan in 2014 and evolved into a botnet used by the threat group TA542 (aka Mama Spider) to steal data, perform reconnaissance, and move laterally through victim networks, as well as deliver malicious second-stage payloads.

Since June, the botnet has been updated to infect potential victims with a credit card theft module that will attempt to collect credit card information stored in Google Chrome user profiles.

This change came after an increase in activity in April and a switch to 64-bit modulesas the Cryptolema spotted security research group.

Emotet (just like Qbot and Icy ID) also switched to Windows Shortcut Files (.LNK) from Microsoft Office Macros (now disabled by default) as an attack vector to infect target devices.

Luckily, Emotet campaigns aren’t very active, if at all, right now, with most malicious phishing campaigns revolving around Qbot and IcedID.

However, this could quickly change and lead to a rapid deployment of ransomware attacks, so Emotet continues to be malware defenders need to watch out for.


Source link