Conti and Emotet, a deadly couple in the world of ransomware

Conti and Emotet, a deadly couple in the world of ransomware

Conti and Emotet

The combined use of Conti and Emotet for different ransomware attacks is well documented, as research by Intel 417 shows, not forgetting TrickBot, a malware platform now capable of infecting Linux systems as well.

This relationship is further highlighted from Intel 417, which shows how much interdependence there is between those who use Conti for their attacks and Emotet. In fact, by monitoring the campaigns of the latter malware platform, researchers have obtained various information and obtained a more precise picture of how cybercriminals are using Emotet together with Conti.

Analyzing ransomware attacks confirmed since 25 December 2021 as of March 25, 2022, researchers have discovered dozens of victims of Emotet malspam. The estimate, however, does not take into account the potential victims who have decided to pay the ransom to remain anonymous and those who are not listed in the ads by the responsible groups, as a result, the number could be much greater. >
What emerges is that, although Emotet can be connected to both TrickBot and Conti, the “leadership” responsible for malspam is not the same. While TrickBot and Conti belong to the same "container" (with Conti acquiring TrickBot earlier this year), Emotet is independent and its operations are massive in scope, with some automated components.

if ( jQuery ("# ​​crm_srl-th_hardware_d_mh2_1"). The Emotet malware in action On the contrary, the Conti affiliates exploit Emotet for the initial access, using the extracted data to choose the next targets. In any case, the chain attacks see the interdependence of these criminal realities, especially in the revival of Emotet observed by Intel 471 as early as November 2021. The most interesting aspect, however, is that Conti appears to be run on the model of a legitimate company, as shown by the famous Conti Leaks. Finally, according to Intel 471m, the presence of Emotet in the systems of a target organization indicates a very high probability of a subsequent ransomware attack, therefore, companies must adopt a preventive and proactive attitude towards Emotet.

Yet Another New Attack Method Shows Up From the Group Behind Emotet

Reading time is around minutes.

The new technique is a bit interesting and not terribly complex. Instead of their usual pivot via macros, or even via XLL, they are using .LNK files that are just links to PowerShell commands. The commands are obfuscated in a couple of ways, the first I by adding null characters to the LNK so the command is not visible in the properties window (like adding spaces and a double extension to a malicious binary [.]pdf [.]exe). The group has also moved to 64bit modules to ensure they are spreading the love around properly.

The command referenced in the LNK file appears to create a second PS script which then uses the Regsvr32.exe command to not only run the new script, but also to register a dll completing the infection. As previously reported, TA542 took a bit of a break after law enforcement went after their infrastructure. However, it is clear that the group is not finished as they have been observed ramping up new activities with new TTPs. Emotet is known to be part of follow-on campaigns for groups like Conti. The recent leak of messages from the Conti group confirms cooperation between the two groups.

Threat groups really never stop developing, they might not expose new techniques and tactics while the old ones still work, but they also always have fun stuff in their back pocket for when current campaigns fail. This means that organizations need to be better prepared to detect and counter threats, especially when they rapidly evolve during renewed operations. As with the XLL file attack, the risk of infection/compromise can be reduced though the use of behavior based anti-malware, security culture training, anti-phishing techniques and good URL inspection and blocking.