Emotet

What is Emotet?

One of the most dangerous, destructive, and prolific variations of malware on the internet recently. Over time, it became a monetized platform for threat actors to run malicious campaigns on a pay-per-install (PPI) model, allowing theft of sensitive data and ransom extortion.

How were these email accounts involved?

On consumer and corporate PCs, Emotet acted as an information and password stealer. It also contained a spam module that allowed Emotet to spread laterally using email as a vector, using malicious links or attachments. It was sending tens of thousands of malware-laden emails every day through breached accounts, posing as: account detail alerts, information about Covid, shipping notifications, and other themes designed to invoke swift user interaction. The data we provide here covers these breached accounts. Please note that the data we share covers a certain period of time; the current situation may be different.

What should be done?

All passwords for the identified breached email accounts should be changed as soon as possible. What should we as the ISP tell our customers?

Here is a handy template you can use:

Dear Email Administrator,

Spamhaus, who is working in conjunction with international law enforcement, has notified us regarding mailboxes that are hosted on a server that your user controls. These email addresses were identified as having been potentially compromised for use by the Emotet botnet.

We ask that you immediately reset the passwords of these mailboxes to prevent any further abuse. This is the only action required to resolve this issue. The list of breached mailboxes identified are as follows:

example@example.com .....

We greatly appreciate any action you take in securing these mailboxes and helping to ensure that that they are not further abused by miscreants to do any harm to other users on the internet.

Regards, Example Trust and Safety Department

What do the various fields in the data mean?

Both the JSON and the CSV formats contain the same fields. Here is a CSV example:

#ip, hostname, username, email, time created, time modified, epoch 192.0.2.25,mail.example.com,user@example.com,user@example.com,1580418000,1549057584,epoc1

IP: IP address of the mailserver the account belongs to

Hostname: Hostname of the mailserver the account belongs to

Username: Account/username of the breached email (may sometimes be the same as the email address)

Email: Breached email address

Time Created: First time the email address was seen, as a 'unix timestamp'

Time Modified: Last time the email address was seen, as a 'unix timestamp'

Epoch: Section of the Emotet botnet that abused the breached email

A note on the time fields: this is information as-is from the malware infrastructure. We recommend a password reset if one has not been done recently, since the dataset may have been shared with other bad actors as well.

Where can I find official publications about Emotet and the takedown?

Background information about the Emotet botnet can be found on Wikipedia and Malpedia. There are also many official publications about the takedown:

Europol: World’s most dangerous malware EMOTET disrupted through global action

German Bundeskriminalamt: In­fra­struk­tur der Emo­tet-Schad­soft­wa­re zer­schla­gen

Dutch National Police: Internationale politieoperatie LadyBird: wereldwijd botnet Emotet ontmanteld

United States Department of Justice: Emotet Botnet Disrupted in International Cyber Operation

Ukraine National Police: Кіберполіція викрила транснаціональне угруповання хакерів у розповсюдженні найнебезпечнішого в світі комп’ютерного вірусу «EMOTET»

You contacted us at the wrong/out of date address, can this be changed?

Yes! Please tell us what addresses we should use instead by emailing remediation-team@spamhaus.org.

I have a question that is not answered here

You can contact The Spamhaus Project at remediation-team@spamhaus.org.