Briefing Malware
BLOG CERT SOGETI ESEC
CERT BRIEFING MALWARE

Briefing Malware - 27/06/2022

27th of June 2022 - Winners of the 26th week : Redline, NjRAT and Emotet.

Some links points at extended actionnable intelligence (Threat Bulletins, TTPs, signatures, etc) on our Threat Intelligence Platform Anomali. This access is limited to our clients.

 

Threat statistics report

Publication date:

27/06/2022

Distribution :

TLP : WHITE  

What's new?

Emotet (ID Mitre: S0367)

Malicious Windows LNK attacks simplified with new Quantum builder

Malware researchers have spotted a new tool that helps #cybercriminals to create malicious #LNK files to provide #payloads for the early stages of an attack.

LNKs are widely used for malware distribution, particularly in phishing campaigns, with some notable malware families currently using them being #Emotet , #Bumblebee, #Qbot and #IcedID. #Quantum offers User Account Control (#UAC) bypass, #Windows SmartScreen bypass, the ability to load multiple payloads onto a single LNK file, post-execution masking, delayed start or execution. The authors claim that files generated with Quantum are completely #undetectable, indicating that antivirus engines and operating system protection mechanisms fail to flag them as suspicious or dangerous.

The #PowerShell script that runs when the LNK file is opened is very similar to the scripts used by #Lazarus in recent campaigns, indicating a possible connection. As long as the use of #LNK files is effective for malicious actors, the upward trend in their deployment should continue.

https://www.bleepingcomputer.com/news/security/malicious-windows-lnk-attacks-made-easy-with-new-quantum-builder/

 

Download the report