The Spamhaus Project
BETA

blog

Estimating Emotet’s size and reach

As many of you will be aware, Emotet, one of the most dangerous botnets in operation, restarted its malicious activity on 16th September 2019. Since its resurgence, Spamhaus Malware Labs has been closely monitoring and studying Emotet’s activity. Here’s what we’ve uncovered...

by The Spamhaus TeamDecember 12, 20197 minutes reading time
Malware
Threat Intelligence
Email Security

Jump to

Introduction

As many of you will be aware, Emotet, one of the most dangerous botnets in operation, restarted its malicious activity on 16th September 2019. Since its resurgence, Spamhaus Malware Labs has been closely monitoring and studying Emotet’s activity. Here’s what we’ve uncovered...

Change in Emotet’s behavior

One of the most noticeable changes that we observed over the past three months was that Emotet had predominantly spammed Microsoft Office documents containing malicious macros. This differed significantly from its old modus operandi of mixing both infected Office documents and URLs in its malware campaigns.

We found this rather odd, as most anti-spam solutions these days tend to block or quarantine, by default, all Office documents that include macros with suspicious functions like CreateProcess, ShellExecute, etc. We initially deduced from this change in behavior that the cyber-criminals using Emotet considered this to be the most cost-effective solution. However, over the past few days (approximately 6th December 2019), we are once again observing the inclusion of malware URLs. Perhaps those anti-spam solutions were proving too efficient at blocking the macro-enabled MS Office documents?

Emotet email volume and corresponding attachments

The period of our detailed observation commenced on 9th October 2019 and ended on 7th December 2019. It focuses on the spamming part of Emotet; therefore, our deductions relating to size only apply to this part of the botnet. We suspect the overall size to be much greater, as it would include dormant infected machines i.e., those machines which aren’t spamming.

The following graph shows the number of emails detected per day (divided per Emotet epoch).

The above data infers that Emotet started slowly during its first few weeks back, before ramping up to its highest volumes in the week commencing Mon 18th November 2019. However, the variance in the number of unique file attachments did not change relative to the volumes. It is worth noting that over the final few weeks of this reporting period, Emotet started working on Saturdays too, albeit at very low volumes.

This next graph shows how many distribution URLs, compared to distinct attachments, we have observed. Please note that when we refer to “distinct attachment,” we mean only that the file checksum was different, not that the distribution URL was also different, as files with different checksums would often use the same distribution URL.

Take a look at the spike in distribution URLs on 6th December 2019; this corresponds with Emotet restarting spamming malware URLs directly through emails, as referred to earlier.

Emotet recipient frequency

Now, let’s analyze how efficient Emotet is in targeting unsuspecting victims. We already know that Emotet exfiltrates Outlook/Thunderbird address-books from infected machines, and also uses thread hijacking to try and lure targets into opening the attachment.

This graph shows how many separate recipients were detected, scaled to the total of email sent.

In our humble opinion, this is pretty impressive! Emotet sends one single email to each different recipient every day, with minimal overlap. This means that any individual recipient would most likely receive only one of Emotet’s emails per day; from a criminal’s perspective, this is positive, as being too ‘noisy’ can be dangerous.

A notable exception to the above was on 5th November 2019. On this date, we suspect that something probably went awry with Emotet, because two different infected emails were sent to almost every recipient.

Number of spamming IP addresses

Below the graph illustrates the daily distribution of unique spamming IP addresses we detected per Emotet epoch:

The largest peak we observed over this period was more than 18,000 unique malspamming IP addresses, which gives the operators a good IP and geo diversity.

From our observations, we suspect that epoch2 is the most populated part of the botnet, closely followed by epoch1, while epoch3 is still lagging in terms of reach.

More stats on Emotet

Last but not least, here are some global statistics on all the autonomous systems, countries and sent emails that we have detected over the observation period:

Total number of ASn detected:5.430
Total number of unique IPs detected:120.764
Total Countries participating:193
Total emails sent:10.935.346
Total distribution URLs:4.726
Distinct RCPTs targeted:8.052.961
Top 30 Networks
PositionASnNo. of IPs
181519180
247883878
333523485
453842487
5455952363
632692127
741342108
8458991998
9245601765
10188811759
1134621667
1273031545
13374571400
14124301285
1591211279
1677131241
17229271227
1857131195
19175521186
2061471125
21280061104
2264001079
23124791051
24239691003
25147541000
263816902
2730722869
2845758858
2928573831
309329767
Top 30 Countries
PositionCountryNo. of IPs
1MX11966
2BR7691
3ES7108
4IN6550
5ZA6154
6IT6042
7AR5172
8MY5167
9PK3864
10VN3634
11US3525
12TH3501
13CN3313
14CO2856
15AE2841
16TR2721
17ID2211
18EC2157
19TW1832
20PE1702
21CL1618
22PH1412
23DE1307
24SA1286
25DO1189
26SG1016
27LK960
28KR875
29AU855
30VE831

For SOCs, CERTs, and CSIRTs: Abuse.ch has some good tips for mitigation.

Spamhaus Malware Labs will continue to monitor Emotet closely to see how this threat continues to evolve; it’s come far from the days when it was a simple banking trojan. In the meantime, ensure you’re protecting yourself.

Please note: botnets are dynamic by nature, therefore other measurement may differ.