December 15, 2021 — Eric Swotinsky
Incident reports

Emotet, in new tactic, deploys Cobalt Strike directly

Acronis Cyber Protect Cloud

The notorious Emotet malware, which recently returned from a hiatus after its botnet was dismantled by a joint task force early this year, has begun installing Cobalt Strike directly — a deviation from its typical tactic of installing a trojan like TrickBot or Qbot and then delivering Cobalt Strike through it.

Cobalt Strike is a legitimate tool used in penetration testing. It gives the tester the ability to surveil the network, or to execute commands remotely. Attackers often use cracked versions of the tool in breaches and to install ransomware.

Installing Cobalt Strike directly eliminates the time between initial infection and subsequent installation of the pen testing tool, giving victims less time to detect and mitigate the infection prior to the execution of ransomware.

Acronis Cyber Protect uses advanced behavioral detection to identify and block Emotet as well as Cobalt Strike, Qbot and Trickbot, while the included Active Protection stops ransomware in its tracks, no matter how it found its way onto your systems.