Briefing Malware
BLOG CERT SOGETI ESEC
CERT BRIEFING MALWARE

Briefing Malware - 08/02/2022

8th of February 2022 - Winners of the 6th week : Emotet, Redline and NjRAT.

Some links points at extended actionnable intelligence (Threat Bulletins, TTPs, signatures, etc) on our Threat Intelligence Platform Anomali. This access is limited to our clients.

 

Threat statistics report

Publication date:

08/02/2022

Distribution :

TLP : WHITE  

What's new?

Emotet (ID Mitre: S0367)

Microsoft disables MSIX protocol handler abused in Emotet attacks

#Microsoft has announced that they will disable the #MSIX ms-appinstaller protocol handler to limit malware exploitation of the #Windows AppX Installer spoofing vulnerability tracked as #CVE-2021-43890.

Even if this vulnerability has been handled through December 2021 Patch Tuesday, Microsoft has justified this action by the massive exploitation of this flaw by #Emotet as well as #BazarLoader and, also to protect users that did not install the security patch or workaround to disable the handler.

In December 2021, #Emotet disguises its middle stage payloads as an installation of #Adobe PDF component to exploit this vulnerability and then install #Trickbot or #Qbot.

#Emotet is one of the most effective #botnets which has resurrected in mid-November after being taken down by law enforcement during Operation #LadyBird in the end of January 2021. The botnet which started as a #banking trojan is active since at least 2014, operated by the threat actor #TA542 (aka #Mummy Spider) and observed delivering payloads such as #Trickbot and #QBot droping ransomware such as #Conti, #Ryuk or #Egregor.

 

https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-emotet-attacks/

 

Download the report