Briefing Malware
BLOG CERT SOGETI ESEC
CERT BRIEFING MALWARE

Briefing Malware - 14/12/2021

14th of December 2021 - Winners of the 50th week : Redline, Emotet and Formbook.

Some links points at extended actionnable intelligence (Threat Bulletins, TTPs, signatures, etc) on our Threat Intelligence Platform Anomali. This access is limited to our clients.

 

Threat statistics report

Publication date:

14/12/2021

Distribution :

TLP : WHITE  

What's new?

Emotet (ID MITRE: S0367)

Emotet now drops Cobalt Strike, fast forwarding ransomware attacks

#CobaltStrike is a popular post-exploitation toolbox with among others discovery, lateral movement or persistence capabilities.

Cybersecurity Researchers at #Cryptolaemus noticed during the latest #Emotet campaign that the infection chain had changed to potentially accelerate the attack. The previous behavior of this malware was to drop a multi-stage malware such as #Trickbot or #Qbot to install a #CobaltStrike implant.

As a result, #Emotet installs #CobaltStrike Beacon/Stagers itself without using any other payload before contacting #Epoch5 servers to self uninstall. This discovery is now giving the malware even more efficiency and therefore increase the detection issues.

#Emotet is one of the most effective #botnet which have resurrected in mid-November after being taken down by law enforcement during Operation #LadyBird at the end of January 2021. The botnet which started as a #banking trojan is active since at least 2014, operated by the threat actor #TA542 (aka #Mummy Spider) and observed delivering payloads such as #Trickbot and #QBot that drops ransomware such as #Conti, #Ryuk or #Egregor.

 

https://www.bleepingcomputer.com/news/security/emotet-now-drops-cobalt-strike-fast-forwards-ransomware-attacks/

 

Download the report

 

 

Print Email