Share:

Cofense Intelligence™ has identified yet another change in Emotet’s behavior, this time distributing a campaign targeting Japanese-speaking recipients. The messages, which reference potentially overdue invoices and the payments thereof, deliver a macro-laden document, as per Emotet’s modus operandi. Figure one shows an example email from this campaign.

Diversifying their target-base is the latest link in an ever-lengthening chain of updates and refinements being pushed by the actors behind Emotet. The targets in this campaign include Japanese academic institutions, demonstrating a keen interest in Emotet securing a presence in such networks worldwide.

Appendix

Subject Lines

特別請求書
三月發票
確認して承認してください。
請查看和 批准。 謝謝。
請求書

 Attachment Names

878345912 99590954.doc
953830038_784779.doc
125469441531_79909831.doc
1379110773-877347.doc
1994740003_23358762.doc
24239118_62193073.doc
31021154 71136771.doc
35404060839-51945433.doc
517044779-87996292.doc
64123575263 958618.doc
72239600 553010.doc
75446103-4089070.doc
7690905434_609835.doc
823522415 83838965.doc
86726152984 4077671.doc
97016848095 4035273.doc
00209430800-791240.doc
01341161_9221765.doc
04546449854 46414589.doc
10433741_1976807.doc
1105119866-989027.doc
12129058435 35307309.doc
1375335111_2342554.doc
13826610090_89267548.doc
18009110 429772.doc
18965548-228698.doc
19529643 07207376.doc
20080657431-132300.doc
2094899952-633559.doc
22789621095 667097.doc
28025325_9781072.doc
31555902_50732534.doc
329298339962-7428084.doc
3405249239-0494889.doc
3696903556_82472490.doc
369955609499_6558583.doc
39032869312-95552314.doc
424078934718-386196.doc
4302447799_071604.doc
44498431-49581333.doc
445993000_8728570.doc
459894237 3920280.doc
48513288 3409281.doc
51036407549_224907.doc
514855331 4861472.doc
5256872379_032431.doc
52981800501_34239839.doc
59622012497-3273399.doc
60475231104 37366668.doc
6325401702 834277.doc

Attachment Hashes

27605401f9d2948e6a86c98457485dd7
4694bfed342c109a9bc54319a93a40bf
51177c2465eec69dc1a7c3cecaafd541
0fedcdc0d340a47555676f25ee12e8a2
691b1890521138b049edbf0e6cb09e7b
6f96482f2d2a78b02686efbcfae8138b
48f66f4b02fbe277282bac5467aba344
9b3aa6c52c788d356ab032d342270eed
1090395626b52579023a1cfd87a48dd9
3ad0040b48e62e9ca22d52a68de0966e
4dc61c605083d3fd32d69529ea14d0db
5c5d24b49c33b147a0344229a127b1cd
249dd3be9d101354015460ead19f0fa3
929116540242d88367af42f66e1a0336
ccfec8b2f804b553deb2193772e03785

Payload URLS

hxxp://garammatka[.]com/cgi-bin/o569U/
hxxp://rinconadarolandovera[.]com/calendar/5n5WY/
hxxp://gamvrellis[.]com/MEDIA/heuMx/
hxxp://hadrianjonathan[.]com/floorplans/vOec/
hxxp://warwickvalleyliving[.]com/images/wmGN/

Payload Hashes

69a5838744d6aa7b8f1d08b6e36d6844

C2s

187.188.166.192:80
88.215.2.29:80
187.137.162.145:443
65.49.60.163:443
45.33.35.103:8080
43.229.62.186:8080
165.227.213.173:8080
210.2.86.72:8080
192.155.90.90:7080
88.97.26.73:50000
190.117.206.153:443
185.86.148.222:8080
187.189.210.143:80
67.241.81.253:8443
200.114.142.40:8080
107.159.94.183:8080
190.147.116.32:21
138.68.139.199:443
219.94.254.93:8080
77.44.16.54:465
200.90.201.77:80
71.11.157.249:80
192.163.199.254:8080
144.76.117.247:8080
69.163.33.82:8080
109.73.52.242:8080
5.9.128.163:8080
189.225.119.52:990
62.75.143.100:7080
109.104.79.48:8080
181.29.186.65:80
200.28.131.215:443
190.192.113.159:21
89.211.193.18:80
189.205.185.71:465
181.29.101.13:80
176.58.93.123:8080
82.226.163.9:80
196.6.112.70:443
92.48.118.27:8080
72.47.248.48:8080
200.107.105.16:465
23.254.203.51:8080
154.120.228.126:8080
213.172.88.13:80
51.255.50.164:8080
201.217.108.155:21
197.248.67.226:8080
139.59.19.157:80
66.209.69.165:443
91.205.215.57:7080
99.243.127.236:80
136.49.87.106:80
186.139.160.193:8080

Filename Regex

\d{6,12}[-_\s]\d{6,12}\.doc

Cofense continues to closely track Emotet’s evolution. Watch this space for further updates. To stay ahead of emerging phishing and malware trends, sign up for free Cofense™ Threat Alerts.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.