Briefing Malware

Briefing Malware - 19/04/2022

19th of April 2022 - Winners of the 16th week : Formbook, Redline and NjRAT.

Some links points at extended actionnable intelligence (Threat Bulletins, TTPs, signatures, etc) on our Threat Intelligence Platform Anomali. This access is limited to our clients.


Threat statistics report

Publication date:


Distribution :


What's new?

Emotet (ID Mitre: S0367)

Trends in the Recent Emotet Maldoc Outbreak

#Fortiguard Labs released a deep analysis of #Emotet malware campaign observed during last months.

All those campaigns started with malicious #Microsoft Office documents attached to #phishing emails. However, it has been observed that after the victim opens the attachment, there could be changes about the method used to drop #Emotet .

Taking advantage of hot topics like #Covid and #Ukrainian conflict or generic ones implying a forward or reply email, threat actors also use protected archive attachment with the password inside the body of the mail to give a fake security feeling about the file in attachment. Researchers also observed that threat actors often switch macro type from Visual Basic for Application (#VBA ) to #Excel v4.0 as they switch Office document type from #Word to #Excel type.

#Emotet is one of the most effective #botnets which has resurrected in mid-November after being taken down by law enforcement during Operation #LadyBird in the end of January 2021. The botnet which started as a #banking trojan is active since at least 2014, and operated by the threat actor #TA542 (aka #Mummy Spider ) and observed delivering payloads such as #Trickbot and #QBot dropping ransomware such as #Conti , #Ryuk or #Egregor .


Download the report