Share:

Beginning the morning of April 9th, the Emotet gang began utilizing what appears to be the stolen emails of their victims. It was noted back in October of 2018 that a new module was added that could steal the email content on a victim’s machine. Up until now, no evidence of real widespread use was seen. This marks a major evolution in the way Emotet works.

The emails appear to be from someone within the original email’s address list and contain a subject beginning with “Re: RE:”.  The actors place the original subject line after that and shim the contents of the original email in to the bottom of the weaponized email being sent. They also leverage the original address list to target someone who would have received the original email in the past.

All of this is done to add relevance and authenticity to the emails being sent. Currently, the emails are only leveraging document download links and do not contain attachments. We are only seeing email content that appears to be from the Oct./Nov. timeframe, but expect that this will change over time.

As this post is being written, we have seen over 1000 unique subjects and emails sent. This is a large step away from the highly templatized emails from Emotet’s past. In many cases, this may lead analysts to believe they are being spear-phished when that is not necessarily the case. It is worth noting that because the email content is likely stolen, it is an indicator that someone within the address list of the email was likely compromised.

Due to the highly sensitive nature of the email content, we cannot share any samples at this time. This is occurring only on the Epoch 1 botnet. We will continue to monitor and update this post with any changes seen.

To stay ahead of emerging phishing and malware trends, sign up for free Cofense Threat Alerts.

IOCs:

hxxp://situsprediksijitu[.]com/wp-includes/file/service/ios/EN/04-2019/

hxxps://escapadesgroup[.]com[.]au/cgi-bin/US/support/ios/EN/042019/

hxxp://hirosys[.]biz/wp-content/llc/support/secure/EN/2019-04/

hxxp://107[.]178[.]221[.]225/jxewyv9/inc/support/ios/En_en/042019/

hxxp://raraty-squires[.]com/blog/sXzf-4ihmhkO8ISXaF6N_xpQxoZZcQ-fgs/

hxxp://newsmafia[.]in/d/security/support/sec/EN/2019-04/

hxxps://jlseditions[.]fr/wp-content/SPNT-FNzUWeaXTjQ8nqv_qWocBOMe-RT6/

hxxp://netcom-soft[.]com/eng/NgqF-1QgEEkvjQ0MkjZ_zYLYiaLye-Z8t/

hxxp://132[.]145[.]153[.]89/trust.accs.send.net/files/messages/sec/en_EN/201904/

hxxp://tem2.belocal[.]today/optometrist/privacy/messages/sec/En_en/2019-04/

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.