Briefing Malware

Briefing Malware - 22/03/2022

22th of March 2022 - Winners of the 12th week : Redline, NjRAT and Formbook.

Some links points at extended actionnable intelligence (Threat Bulletins, TTPs, signatures, etc) on our Threat Intelligence Platform Anomali. This access is limited to our clients.


Threat statistics report

Publication date:


Distribution :


What's new?

Emotet (ID Mitre: S0367)

Emotet malware campaign impersonates the IRS for 2022 tax season

Threat researchers from #Black Lotus Labs observe a regain of the number of emails sent by Emotet in March. This supports the resurgence of #Emotet botnet since November 2021, counting approximatively 130,000 unique bots spread across 179 countries since. #Tripwire estimated that the malware was involved in 30% of all malware attacks in 2021.

Emotet is a malware botnet distributed by phishing emails containing malicious Excel or Word documents with #macros. Once the malware compromised a target, it can install additional malware like #Cobalt Strike beacons, #ransomware or #RAT, but also send other spam mails and even spoof user's email threads to distribute itself to the other recipients. Last version (Epoch 5) includes new functionalities and improvements, especially in its network encryption.


As US tax season begins, the malicious mails distributing Emotet embodied the #IRS (US Internal Revenue Service), sending documents related to taxation forms. This campaign either sends a password encrypted zip file or a HTML file, both file format being hard to detect by security email gateways. The growth of Emotet bots might be helped by new #Conti group members joining Emotet operators as the close relationship between Conti and Emotet was recently confirmed by the Conti Leaks.


Download the report