Briefing Malware
BLOG CERT SOGETI ESEC
CERT BRIEFING MALWARE

Briefing Malware - 25/01/2022

25th of January 2022 - Winners of the 4th week : Redline, Emotet and NjRAT.

Some links points at extended actionnable intelligence (Threat Bulletins, TTPs, signatures, etc) on our Threat Intelligence Platform Anomali. This access is limited to our clients.

 

Threat statistics report

Publication date:

25/01/2022

Distribution :

TLP : WHITE  

What's new?

Emotet (ID Mitre: S0367)

Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware

#TrendMicro observed latest #Emotet spam campaign and found that a new #obfuscation technique has been used to evade classic detection measures.

The malicious actor exploited #Excel 4.0 old macro, in this case auto_open, delivered via email attachment. The novelty is that the URL is obfuscated with carets and the IP address is defined in octal or hexadecimal. The code is automatically converted by the operating system into classic decimal format. The following actions are more common and will download a HTML application code as the next stage.

This discovery of this mechanism is occurring when #Microsoft communicated that they disable Excel 4.0 macros by default in the build 16.0.14427.10000 of Excel.

Despite the 10-months hiatus, Emotet is constantly evolving as the tactic of #Cobalt Strike beacon dropping discovered in December 2021.

 

https://www.trendmicro.com/en_us/research/22/a/emotet-spam-abuses-unconventional-ip-address-formats-spread-malware.html

 

Download the report

 

 

Print Email