Briefing Malware

Briefing Malware - 25/04/2022

25th of April 2022 - Winners of the 17th week : NjRAT, Redline and Emotet.

Some links points at extended actionnable intelligence (Threat Bulletins, TTPs, signatures, etc) on our Threat Intelligence Platform Anomali. This access is limited to our clients.


Threat statistics report

Publication date:


Distribution :


What's new?

Emotet (ID Mitre: S0367)

Emotet malware infects users again after fixing broken installer

#Emotet operators had to stop their malware distribution campaign due to a bug preventing people from becoming infected when they opened malicious email attachments. This campaign is distributed through spam campaigns with a malicious #password-protected ZIP file attachment containing Windows LNK (shortcut) files pretending to be Word documents. The previous campaign needs a user to open the attachment, the malicious macros or scripts will then download the #Emotet DLL and load it into memory.

When a user clicked on the shortcut, it would execute a command to find a string to write in a #VBS script and execute it, but this command contained a bug as it used a static shortcut name. Emotet operators fixed the bug and started spamming users again.

When installed, the malware will search for and steal emails to use in future spam campaigns and drop additional payloads such as #Cobalt Strike or other malware that commonly leads to ransomware attacks.


Download the report