Cofense Achieves SOC 2 Type II Compliance for PhishMe and Hosted Triage

Phishing Defense Leader Continues to Pursue Compliance Certifications for Data Security

LEESBURG, Va.May 16, 2019 — Today Cofense™, the global leader in intelligent phishing defense solutions, announced it has successfully completed a Service Organization Controls (SOC) 2 Type II examination for Cofense PhishMe™ and Hosted Cofense Triage™. These product lines provide technology to help organizations train their employees to identify potential phishing risks and properly handle phishing attacks by individuals attempting to manipulate or deceive email recipients. Coalfire Controls, LLC, an independent CPA firm, conducted the audit.

SOC 2 compliance is a key industry standard in data security. Designed for entities operating in the technology and cloud computing sector, SOC 2 evaluates a service provider’s ability to securely manage customer data. In pursuit of this certification organizations undergo a rigorous analysis that includes the following trust services criteria: security, availability, processing integrity, confidentiality and privacy. Cofense achieved SOC 2 Type I compliance in February 2018, which is based on having the suitable controls in operation. For Type II, Cofense successfully showed the effectiveness of these controls over a period of time.

“Pursuing industry-leading certifications is just one way Cofense continues to demonstrate our commitment to larger compliance efforts that exceed enterprise standards,” said Keith Ibarguen, Chief Product Officer, Cofense. “SOC 2 Type II compliance is a proven standard to ensure the processing integrity, availability, security, confidentiality and privacy of customer data. Cofense aims to not only help our customers maintain strong security through our innovative technology offerings, but to also maintain strong relationships and trust through our own security and privacy practices.”

“Many organizations outsource information security operations to third-party vendors, and if their data is not handled securely, risk of exposure to data theft, extortion and malware increases dramatically. Given this threat of exposure, SOC 2 Type II is essential for organizations to clearly demonstrate the security control posture of their solutions,” states Chris Beiro, Sr. Director, SOC Practice, Coalfire. “Coalfire examined the PhishMe and Hosted Cofense Triage solutions and found that controls were suitably designed and operating effectively to provide reasonable assurance that the trust services criteria were met throughout the review period.”

The purpose of SOC standards are to help provide confidence and peace of mind for organizations and their third-party partners. Cofense maintains policies, strategies and processes that are designed to satisfactorily safeguard customer data. For more information, please visit http://www.cofense.com.

About Cofense 
Cofense™, formerly PhishMe®, is the leading provider of intelligent phishing defense solutions world-wide. Cofense delivers a collaborative approach to cybersecurity by enabling organization-wide engagement to active email threats. Our collective defense suite combines timely attack intelligence sourced from employees with best-in-class incident response technologies to stop attacks faster and stay ahead of breaches. Cofense customers include Global 1000 organizations in defense, energy, financial services, healthcare and manufacturing sectors that understand how changing user behavior will improve security, aid incident response and reduce the risk of compromise.

Media Contact 
press@cofense.com

Babylon RAT Raises the Bar in Malware Multi-tasking

Ciso Summary 

Ancient Babylon defeated its enemies with chariots, horses, and archers. Now Cofense IntelligenceTM has analyzed a phishing campaign delivering the powerful Babylon Remote Administration Tool (RAT). This malware is an open-source tool that can handle many tasks: encrypt command-and-control communication, hide from network security controls, trigger denial of service (DOS) attacks, and last but not least, steal data. Used skillfully, Babylon RAT would make the armies of Hammurabi proud. 

Full Details

Cofense Intelligence has analyzed a phishing campaign delivering a multi-feature open source Remote Administration Tool (RAT) named Babylon RAT. Babylon RAT’s Command and Control (C2) communication is encrypted, allows for dynamic domains, and can turn a client into a reverse SOCKS proxy for further obfuscation. This weaponized RAT has many real-time client interaction methods and is capable of information theft. The administration panel has features that can allow for lateral propagation across end points on a network. This tool has enough features that, if used correctly, could devastate any organization.  

Babylon RAT’s client code is written in C# and is dependent on .NET 4.5. The administration panel (shown in Figure 1) is written in C++, and provides the functionality to manage multiple server configuration options. One option is the port number in which the administration panel will open and listen in when the server is started. Another option is a network key for authentication of the infection to the administration panel. Lastly the configurations allow for the setting of the IP version in which it will connect. The File drop down at the top provides access to the server, configurations, and the payload builder. 

Figure 1: The administration panel and the management tabs for Babylon RAT 

C2 Details 

The initial C2 connection the client binary makes after being executed is hardcoded into the binary when it is built. The building process suggests dynamic domains so that the IP address can be changed without interruption to the communication. This connection is encoded and contains fingerprinting information about the infected host. This information includes IP address, Country, Username, PC name, Operating System (OS) details, and which program window is active for the end user. After initial communication with the C2, the infected endpoint will update the administration panel every 5 seconds by default. The check-in notice sent to the server from the client consists of very small network packets, only about 4-8 bytes in size. Figure 2 shows the administration panel with the details listed above. 

Figure 2: The administration panel and the fingerprinted information as listed above for Babylon RAT 

Babylon RAT has the ability to turn an infected machine into a SOCKS proxy, specifying between version 4 or 5. The main difference in the versions: version 5 provides authentication from the client to the proxy, which helps negate abuse from unwanted parties. By creating a SOCKS proxy, the threat actors create an encrypted tunnel and can have all of the infected hosts use it as a gateway, which allows for network capturing. This can also allow for a threat actor to need only one exit point within a network, while maintaining the infection of multiple machines. Meaning, if a threat actor can maintain communication with one endpoint in a network, he can then propagate laterally and have all the traffic from the infected clients C2 network flow back out the one endpoint. With access to the command prompt and stolen credentials, this would be trivial to do. This technique would also bypass email and URL filtering of unwanted binaries. Figure 3 shows the SOCKS proxy endpoint details and the amount of traffic flowing through it. 

Figure 3: The SOCKS proxy tab and the details associated 

The client builder gives the option to use two different C2 domains for redundancy. When combining the ability to use multiple dynamic domains with a proxy server, a threat actor could effectively create layers of obfuscated traffic between the endpoint and the client through multiple channels.  

Figure 4: The surveillance options that are available to the operator 

Notice in Figure 4 the option for password recovery. The password recovery module looks through applications, including web browsers, and harvests credentials but does not gather the OS user credentials. Although one could surmise that with the username above and a couple of passwords harvested, the OS user credentials could be compromised. If the OS user credentials are compromised, it would be easy for the operator to open the remote command prompt and attempt to log in to other network machines using those credentials. If successful at logging into another machine, it is then possible for the operator to have the second machine download/execute another payload. This would need to be automated, but it does reflect a propagation method for the RAT. Figure 5 shows the system options including the remote command prompt option. 

Figure 5: The system options that allow for further interaction and detail of the infected system 

Weaponized 

Adding to its already long list of functions, Babylon RAT has the ability to produce Denial of Service (DoS) attacks to targets from the infected hosts. The DoS feature can be set to a hostname or IP range and allows for multiple protocols to be initiated. The protocols all have thread and socket parameters that are adjustable. A threat actor can select to have the attack come from an individual protocol or all of the protocols available. Once this command is sent to a single host, the operator can easily replicate the command to the other infected hosts, effectively creating a larger Distributed Denial of Service (DDoS) attack. Figure 6 shows the configuration for the DoS attack and Figure 7 shows the machines status change to DoS. 

Figure 6: The parameters available for the DoS attack

Figure 7: The administration panel and the multiple infected hosts carrying out a DDoS attack 

In the End 

Babylon RAT is an open-source platform that allows for various misdeeds. The encrypted traffic and the ability to create SOCKS proxies can help negate network security measures. The client builder allows for Anti-Virus bypassing which helps the binary get to the endpoint safely. The processes allowing for network propagation means an infection is not limited to one endpoint. Combined with the ability to perform a DoS attack, Babylon RAT can be highly effective in the proper environment. Babylon RAT campaigns can be avoided with proper technology in place and by educating end users to recognize and report suspicious emails.  

To stay ahead of emerging phishing and malware threats, sign up for free Cofense Threat Alerts. 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

Pretty Pictures Sometimes Disguise Ugly Executables

CISO Summary

Reaching deep into their bag of tricks to avoid detection, threat actors are using an oldie but goodie— packing image files (think tropical beach scenes) with malicious executables, usually a .jpg. The technique allows attackers to avoid detection by some anti-virus programs that merely recognize a file as an image, but don’t check its full contents.

This vintage tactic works—threat actors still use it a lot. Anti-virus systems rely on file headers to detect malware. Tuning systems to rely less on file headers is difficult and sometimes impossible. One counter-measure that does work: educate employees not to fall for phishing emails and encourage them to report any they find suspicious.

Full Details

Cofense Intelligence™ has been tracking the ongoing usage of image files to disguise malicious executables, a technique that can easily bypass network security measures. Threat actors will use a first stage malware downloader to retrieve an image file, most often a .jpg. The malware downloader then extracts a malicious executable that is embedded within the image. Finally, the malware runs the extracted binary in memory to avoid dropping an additional executable to disk. By using this technique to download the second binary, threat actors are able to avoid detection by some anti-virus (AV) programs that can determine the downloaded file to be an image but do not check the rest of the file contents.

Delivery

The malware downloader often used to deliver these types of files is an executable using the .NET framework. From May 2018 to April 2019, Cofense Intelligence saw images with embedded executables comprising more than 70% of the binaries downloaded by .NET executables. The images can be anything from famous actors to server rooms, but one of the more common ones can be seen in Figure 1.

Figure 1: Commonly seen image

The images used not only display correctly but often have additional “metadata,” an example of which can be seen in Figure 2. This metadata is not present in all cases and may be an artifact from the original image before it was modified.

Figure 2: Additional meta data included in the image

Contents

The downloaded files are treated as images because of their file header and to a lesser degree, their file extension. File headers help the operating system determine how to interpret the contents of the file and can indicate several factors, such as whether a file is an image or an executable. Figure 3 illustrates that images with the .jpg extension, also known as JPEG images, will have the characters “JFIF” near the start of the file.

Figure 3: JPEG image file header

This header is also used by most AVs to determine the file type, as it is much more reliable than a file extension. When a “JFIF” header is read by most AVs the rest of the file will be ignored as long as the image is not broken or incomplete. The subterfuge of using an image file header also enables threat actors to bypass most network security measures which, like local AV, will treat the file as an image and ignore its content. By including an image that will properly display, threat actors are able to satisfy all of the conditions required for their malicious content to be ignored by security measures and “safely” delivered to the endpoint. This also ensures that if a file is manually downloaded and opened it will appear legitimate to the end user.

Extracting

Creating an image file that meets these requirements also ensures that the operating system does not recognize the file as an executable and will not execute the file, regardless of the program used to open it. This fact requires a downloader, such as a .NET executable, to “extract” the malicious executable from the image file. This can be easily done by searching the file contents for the file header representing an executable, “MZ,” as shown in Figure 4.

Figure 4: Embedded executable header

Once this header is found, the executable content is carved out and loaded into memory rather than executing a file dropped to disk. Because the content is executed in memory rather than from an actual executable file, it is less likely to be recognized by AV as malicious. Most AV solutions do not monitor the memory of a process already running, which allows the malware to perform most of its activities without being noticed.

Staging

The fact that both a downloader and an image file are required to complete the infection is an important part of the infection strategy. If an image file is run by itself in an automated environment, it will simply display an image, with the only possibility of detection relying on the image file content having suspicious text. If only the downloader is executed and the image payload is unavailable, then it may be detected as suspicious, but on its own would not provide defenders with enough information to fully combat the threat. This requirement of having both stages together helps hide from defenders using automated analysis systems that are focused on individual files.

Why It Matters

Although not a new technique, the consistent popularity and utility of this approach to malware delivery merits attention. Threat actors abuse of operating system and AV reliance on file header recognition has been and will continue to be a problem. An example of threat actors abusing this reliance to trick AV systems as well as analysts was also recently covered by CofenseTM. Tuning AV systems to detect malware without relying on file headers is difficult and, in some cases, impossible. To properly recognize threats, it is important to have a full picture of the different components involved in an attack rather than attempting to organize individual and possibly incomplete analysis. To avoid this pitfall and better protect their network environments, organizations need to ensure that employees are trained to not fall victim to the phishing emails and that defenders are ready should an incident happen.

To stay ahead of emerging phishing and malware trends, sign up for free Cofense™ Threat Alerts.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

The Cofense Phishing Defense Center Sees Threats That Most Don’t

The CofenseTM Phishing Defense CenterTM analyzes suspicious emails reported by customers’ users and alerts their security teams when they need to take action. Because we live and breathe phishing analysis and response, and because we operate 24/7/365, we have visibility into threats most teams can’t see.

Here’s a Real Example Involving Compromised Email Accounts

A few months back, an organization exploring our services did a proof-of-concept trial, during which we analyzed emails its users found suspicious and reported for inspection. Soon enough, we saw emails sent from compromised email accounts within the organization.

In fact, they utilized a technique known as the Zombie Phish, so called because it revives a dormant email conversation the user had had to disarm the user and lure him into clicking. We provided the indicators of compromise to the customer’s point of contact, plus included a link to a Cofense blog about the Zombie Phish.

We Found Over 2000 Malicious Emails—in Just 3 Days

A couple of weeks passed uneventfully. Then, we saw a new batch of reported emails from compromised accounts, followed the next day by a spike in similar messages. In a 3-day period, we found 2053 malicious emails sent through 77 internal accounts. Subject lines varied, but every one of these emails contained a link to “Display Message,” which redirected to a login page spoofing the customer’s actual page. It asked users to enter the password for their company account.

The techniques in these emails seemed to be part of a global phishing campaign targeting UK organizations. The target’s email address was encoded in the link. When someone clicked, the login page displayed the organization’s logo. The links’ behavior varied, sometimes redirecting to a fake site instead of the spoofed login page, other times displaying a message that the URL was unavailable.

The team in the Cofense Phishing Defense Center was glad to be of assistance. Learn more about our phishing defense services.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Partners with NINJIO to Bring Hollywood-Style Storytelling to Security Awareness Offering

Leesburg, Va. – May 8, 2019 – Cofense™, the global leader in intelligent phishing defense solutions, announced a partnership with NINJIO, a leading creator of cyber security awareness training. NINJIO’S cyber security content will be accessible by customers using the Cofense PhishMe™ platform, an award-winning phishing simulation and training solution. Cofense PhishMe administrators can leverage NINJIO videos, or “episodes” as NINJIO refers to them, as part of their on-going security awareness training and phishing defense programs.

SMBs: 5 Ways to Avoid Becoming a Small Phish in a Big Pond

In the fall of 2016, I watched a good friend get her business ready for opening in her first retail space. She had previously run everything from her home and now she was entering a whole new phase. I observed her interactions during a few visits and she knew when I gave her that “look,” there was something that needed improving.

“What Wi-Fi network do you have your register assigned to in the shared retail space? You should put a password on that register device you’re using, so when you’re across the store someone can’t open your register.”

The best part of helping her set that device password was watching her millennial daughters return to the store and try to guess the password – listening to their theories on creation was most amusing.

Following are 5 ways you can protect YOUR small business from phishing and other cyber threats.

  1. Train Your Employees!

A majority of small businesses have fewer than 50 employees. Ensure your staff are trained on the basics of cybersecurity for their roles. There are a number of free (YES really free!) resources available online to provide the basics: phishing, passwords, internet browsing and data protection.

The number one threat that will impact your business is phishing. Start with the simple actions. Teach employees to diligently check links – hover to see the real destination. If they did click on that link, do they have someone to tell? What if it took them to a website asking for their username and password?  If there’s an attachment, did it come from a trusted sender – if so, were they expecting to receive that invoice or resume file?

In June this year, the FBI issued a warning about the dramatic increase in business email compromise (BEC), which results in financial loss for the business targeted. The BEC scam is a simple email from a fraudster masquerading as a legitimate business executive asking for funds to be wired. These messages are typically targeted to individuals in the organization that process invoices or payments.

With a small staff, it’s not always easy to build your processes to include segregation of duties. But having controls in place related to handing out funds will not only save you on insider theft, it will also reduce the potential wire fraud from a random email spoofing your email address to your finance team. If your business does become a victim, the FBI encourages you to report the incident.

Remember the Target breach? The malicious actors started with sending a phishing email to the HVAC maintenance technician – a small business.

  1. Get Cyber Insurance.

You have an insurance policy on your car to protect you if you’re in an accident. You purchase liability insurance to cover your risk, should you encounter an unforeseen disruption in your business. In order to protect your business from a security incident that could result in a data breach or business disruption, you should invest in a cybersecurity insurance policy.

  1. Invest in IT/Cybersecurity Services

Enlisting the help of your teenage nephew is great for setting up your new phone or laptop, but that’s not the best solution to support your growing business. There are plenty of managed service providers to contract support for your technology and cybersecurity needs. Tap into your local small business networks or professional sharing networks for recommendations.

  1. Protect your Online Business Accounts

I put it in the cloud! The cloud service offerings today are far more readily available and robust than even five years ago. Entering your credit card info to purchase a piece of the cloud is easy, but make sure you know what you’re putting where. Keeping an inventory of these services, along with the type of data your storing, is important if the service experiences a breach or an outage.

While it might be easy to use that same username and password across all your accounts, it only takes one data breach to put all these services at risk. Get a password vault to manage these accounts.

  1. Protect your Social Media Accounts

As a small business owner, your number one “go to” place for your marketing campaign is social media. Managing these accounts is critical to protecting your online identity. Who has access to post on your behalf? Limit who has access to the account. Review your profile settings to ensure you have the highest level of security enabled. If the provider allows you to enable two-factor authentication – ENABLE IT!

Learn what two-factor authentication is and how to enable it at https://www.lockdownyourlogin.org/

YOU can do this – small steps can make a BIG difference!

Whether your family business was handed down to you through generations, or you’re a new start up, or  a nonprofit, small city, county, or community organization – you have intellectual property or personal data that you need to protect. And you have employees that need to take actions to support your business.

You built your business to live your dream; don’t let a malicious actor take that away from you! As you grow your business, make sure you grow your cybersecurity capabilities right along with it.

Hey! I know I’ve never talked to you before – but can you send some money – QUICK!

Business Email Compromise (BEC), also known as CEO Fraud, is a type of phishing email designed to impersonate an executive. In a BEC campaign, the “executive” urgently instructs an employee to wire money, sometimes lots of money, to a bank account. The FBI reports that BEC scams hit businesses to the tune of $12.5 billion annually.

What makes BEC campaigns different?

In a BEC attack, the weapon of choice is simple words. Instead of tricking people into clicking a malicious link or attachment, a BEC attack tries to lure recipients into taking action. The threat actor will spend time researching the organization, identifying execs whose high-priority messages would make employees respond ASAP.

Though this type of threat is fairly new in the phishing landscape, it is very successful. Actors have been able to make off with millions of dollars, using networks of mules to move the money back to the mothership.

In recent months, there has been a shift in the type of currency requested—gift cards. They’re easy to obtain and, if requested in smaller amounts, can go unnoticed but still add up. Researchers have also been doing their work, hunting these criminal groups with much success. Last summer the FBI announced the arrest of 74 fraudsters, all related to BEC. When an organization realizes it’s been hit with a BEC attack, it can reach out to the FBI, which will work with financial institutions to block the transfer of funds.

What can you do? A few tips.

I remember a few years back when this threat started to surface. I couldn’t help but think back to my days in finance and IT compliance, with a focus on Sarbanes-Oxley, and think about the controls breakdown BEC triggers. Here are some ways to KEEP control.

First and foremost, train your employees to be on the lookout for these types of messages. Secondly, implement controls within your payment process to require a secondary signature for release of funds. When I worked in the treasury department for a retail chain, there were many days I would have to walk to the Controller’s or CFO’s office to get a REAL signature on a check greater than $50,000 or a request for a direct wire. Also, look to the gateway controls and implement DMARC /DKIM as discussed in our previous blog post.

There is another control that is starting to become a best practice—tagging external messages in the subject line or message body and letting your employees know the message originated outside the organization. This tag is helpful in spotting BEC messages. Many times, executives or high value targets are reading their messages on mobile devices. The mail client on these devices doesn’t display the fully qualified email address, making it difficult to assess the validity of the message sender.

A BEC sample:

The importance of tagging for viewing on a mobile device – mail client vs mobile:

If your organization becomes the victim of a BEC scam, report it quickly to help the authorities stop the funds from going through. Reporting also provides law enforcement with more information about the threat actor, which further helps to fight these crimes.

Learn more about phishing threats and protection in the Cofense State of Phishing Defense report.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Announces Key Additions to Leadership Team

New Hires to Fuel Company Growth in All Aspects of Sales, Marketing, and Product Development

Leesburg, Va. – April 18, 2019 – Today Cofense™, the global leader in intelligent phishing defense solutions, announced the addition of four security leaders to their executive team. Kevin Fliess joins Cofense as Senior Vice President of Marketing; Keith Ibarguen, as Chief Product Officer; Marcus Conroy, as Vice President of Americas Sales; and David Janson has been promoted to Vice President of International Sales from his previous position as Vice President of European Sales. Following the strongest fourth quarter (2018) and first quarter (2019) in company history, these additions will contribute to Cofense’s leadership and culture as the company executes the next phase of its growth strategy and expansion.

Cofense To Host Fourth Annual Phishing Defense Summit and User Conference

Cofense Submerge features industry expert speakers, including a keynote by FireEye CEO,
and sessions focused on latest security threats and incident response trends

Leesburg, Va. – April 16, 2019 – Today Cofense™, the global leader in intelligent phishing defense solutions, announced that registration is open for the fourth annual Submerge phishing defense summit and user conference. The event, set to take place Sept. 23-24, 2019 in Orlando, Fl., will bring together industry experts with practitioners who are on the front lines to discuss the security threat landscape and share phishing defense strategies. Featured speakers include Kevin Mandia, CEO of FireEye as a keynote, along with Cofense’s Co-Founders, Rohyt Belani, CEO, and Aaron Higbee, CTO.

Flash Update: Emotet Gang Distributes First Japanese Campaign

Cofense Intelligence™ has identified yet another change in Emotet’s behavior, this time distributing a campaign targeting Japanese-speaking recipients. The messages, which reference potentially overdue invoices and the payments thereof, deliver a macro-laden document, as per Emotet’s modus operandi. Figure one shows an example email from this campaign.

Diversifying their target-base is the latest link in an ever-lengthening chain of updates and refinements being pushed by the actors behind Emotet. The targets in this campaign include Japanese academic institutions, demonstrating a keen interest in Emotet securing a presence in such networks worldwide.

Appendix

Subject Lines

特別請求書
三月發票
確認して承認してください。
請查看和 批准。 謝謝。
請求書

 Attachment Names

878345912 99590954.doc
953830038_784779.doc
125469441531_79909831.doc
1379110773-877347.doc
1994740003_23358762.doc
24239118_62193073.doc
31021154 71136771.doc
35404060839-51945433.doc
517044779-87996292.doc
64123575263 958618.doc
72239600 553010.doc
75446103-4089070.doc
7690905434_609835.doc
823522415 83838965.doc
86726152984 4077671.doc
97016848095 4035273.doc
00209430800-791240.doc
01341161_9221765.doc
04546449854 46414589.doc
10433741_1976807.doc
1105119866-989027.doc
12129058435 35307309.doc
1375335111_2342554.doc
13826610090_89267548.doc
18009110 429772.doc
18965548-228698.doc
19529643 07207376.doc
20080657431-132300.doc
2094899952-633559.doc
22789621095 667097.doc
28025325_9781072.doc
31555902_50732534.doc
329298339962-7428084.doc
3405249239-0494889.doc
3696903556_82472490.doc
369955609499_6558583.doc
39032869312-95552314.doc
424078934718-386196.doc
4302447799_071604.doc
44498431-49581333.doc
445993000_8728570.doc
459894237 3920280.doc
48513288 3409281.doc
51036407549_224907.doc
514855331 4861472.doc
5256872379_032431.doc
52981800501_34239839.doc
59622012497-3273399.doc
60475231104 37366668.doc
6325401702 834277.doc

Attachment Hashes

27605401f9d2948e6a86c98457485dd7
4694bfed342c109a9bc54319a93a40bf
51177c2465eec69dc1a7c3cecaafd541
0fedcdc0d340a47555676f25ee12e8a2
691b1890521138b049edbf0e6cb09e7b
6f96482f2d2a78b02686efbcfae8138b
48f66f4b02fbe277282bac5467aba344
9b3aa6c52c788d356ab032d342270eed
1090395626b52579023a1cfd87a48dd9
3ad0040b48e62e9ca22d52a68de0966e
4dc61c605083d3fd32d69529ea14d0db
5c5d24b49c33b147a0344229a127b1cd
249dd3be9d101354015460ead19f0fa3
929116540242d88367af42f66e1a0336
ccfec8b2f804b553deb2193772e03785

Payload URLS

hxxp://garammatka[.]com/cgi-bin/o569U/
hxxp://rinconadarolandovera[.]com/calendar/5n5WY/
hxxp://gamvrellis[.]com/MEDIA/heuMx/
hxxp://hadrianjonathan[.]com/floorplans/vOec/
hxxp://warwickvalleyliving[.]com/images/wmGN/

Payload Hashes

69a5838744d6aa7b8f1d08b6e36d6844

C2s

187.188.166.192:80
88.215.2.29:80
187.137.162.145:443
65.49.60.163:443
45.33.35.103:8080
43.229.62.186:8080
165.227.213.173:8080
210.2.86.72:8080
192.155.90.90:7080
88.97.26.73:50000
190.117.206.153:443
185.86.148.222:8080
187.189.210.143:80
67.241.81.253:8443
200.114.142.40:8080
107.159.94.183:8080
190.147.116.32:21
138.68.139.199:443
219.94.254.93:8080
77.44.16.54:465
200.90.201.77:80
71.11.157.249:80
192.163.199.254:8080
144.76.117.247:8080
69.163.33.82:8080
109.73.52.242:8080
5.9.128.163:8080
189.225.119.52:990
62.75.143.100:7080
109.104.79.48:8080
181.29.186.65:80
200.28.131.215:443
190.192.113.159:21
89.211.193.18:80
189.205.185.71:465
181.29.101.13:80
176.58.93.123:8080
82.226.163.9:80
196.6.112.70:443
92.48.118.27:8080
72.47.248.48:8080
200.107.105.16:465
23.254.203.51:8080
154.120.228.126:8080
213.172.88.13:80
51.255.50.164:8080
201.217.108.155:21
197.248.67.226:8080
139.59.19.157:80
66.209.69.165:443
91.205.215.57:7080
99.243.127.236:80
136.49.87.106:80
186.139.160.193:8080

Filename Regex

\d{6,12}[-_\s]\d{6,12}\.doc

Cofense continues to closely track Emotet’s evolution. Watch this space for further updates. To stay ahead of emerging phishing and malware trends, sign up for free Cofense™ Threat Alerts.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.