Subscribe to RSS News Feed
About Spamhaus  |  Press Office  |  FAQs   

Estimating Emotet’s size and reach

2019-12-12 16:26:00 UTC   |   by Spamhaus Malware Labs   |   Category:  malware, cybercrime, botnets, emotet
Recent News Articles

Spamhaus Botnet Threat Update: Q3-2021

Spammer Abuse of Free Google Services

Spamhaus Botnet Threat Update: Q2-2021

Emotet Email Aftermath

Wordpress compromises: What's beyond the URL?

You can't buy data hygiene

Spamhaus Botnet Threat Update: Q1-2021

Good-bye, Blocklist Removal Center. Hello, IP and Domain Reputation Checker.

Older News Articles:
Spamhaus News INDEX

As many of you will be aware, Emotet, one of the most dangerous botnets in operation, restarted its malicious activity on 16th September 2019. Since its resurgence, Spamhaus Malware Labs has been closely monitoring and studying Emotet’s activity. Here’s what we’ve uncovered...

Change in Emotet’s behavior

One of the most noticeable changes that we observed over the past three months was that Emotet had predominantly spammed Microsoft Office documents containing malicious macros. This differed significantly from its old modus operandi of mixing both infected Office documents and URLs in its malware campaigns.

We found this rather odd, as most anti-spam solutions these days tend to block or quarantine, by default, all Office documents that include macros with suspicious functions like CreateProcess, ShellExecute, etc. We initially deduced from this change in behavior that the cyber-criminals using Emotet considered this to be the most cost-effective solution. However, over the past few days (approximately 6th December 2019), we are once again observing the inclusion of malware URLs. Perhaps those anti-spam solutions were proving too efficient at blocking the macro-enabled MS Office documents?

Emotet email volume and corresponding attachments

The period of our detailed observation commenced on 9th October 2019 and ended on 7th December 2019. It focuses on the spamming part of Emotet; therefore, our deductions relating to size only apply to this part of the botnet. We suspect the overall size to be much greater, as it would include dormant infected machines i.e., those machines which aren’t spamming.

The following graph shows the number of emails detected per day (divided per Emotet epoch).

Emotet Email Volume

The above data infers that Emotet started slowly during its first few weeks back, before ramping up to its highest volumes in the week commencing Mon 18th November 2019. However, the variance in the number of unique file attachments did not change relative to the volumes. It is worth noting that over the final few weeks of this reporting period, Emotet started working on Saturdays too, albeit at very low volumes.

This next graph shows how many distribution URLs, compared to distinct attachments, we have observed. Please note that when we refer to “distinct attachment,” we mean only that the file checksum was different, not that the distribution URL was also different, as files with different checksums would often use the same distribution URL.

Emotet Distincts Attachments

Take a look at the spike in distribution URLs on 6th December 2019; this corresponds with Emotet restarting spamming malware URLs directly through emails, as referred to earlier.

Emotet recipient frequency

Now, let’s analyze how efficient Emotet is in targeting unsuspecting victims. We already know that Emotet exfiltrates Outlook/Thunderbird address-books from infected machines, and also uses thread hijacking to try and lure targets into opening the attachment.

This graph shows how many separate recipients were detected, scaled to the total of email sent.

Emotet Distinct recipients

In our humble opinion, this is pretty impressive! Emotet sends one single email to each different recipient every day, with minimal overlap. This means that any individual recipient would most likely receive only one of Emotet’s emails per day; from a criminal’s perspective, this is positive, as being too ‘noisy’ can be dangerous.

A notable exception to the above was on 5th November 2019. On this date, we suspect that something probably went awry with Emotet, because two different infected emails were sent to almost every recipient.

Number of spamming IP addresses

Below the graph illustrates the daily distribution of unique spamming IP addresses we detected per Emotet epoch:

Emotet Distinct IP addresses

The largest peak we observed over this period was more than 18,000 unique malspamming IP addresses, which gives the operators a good IP and geo diversity.

From our observations, we suspect that epoch2 is the most populated part of the botnet, closely followed by epoch1, while epoch3 is still lagging in terms of reach.

More stats on Emotet

Last but not least, here are some global statistics on all the autonomous systems, countries and sent emails that we have detected over the observation period:

Total number of ASn detected:5.430
Total number of unique IPs detected:120.764
Total Countries participating:193
Total emails sent:10.935.346
Total distribution URLs:4.726
Distinct RCPTs targeted:8.052.961

Top 30 NetworksTop 30 Countries
PositionASnNo. of IPsPositionCountryNo. of IPs

For SOCs, CERTs, and CSIRTs: has some good tips for mitigation.

Spamhaus Malware Labs will continue to monitor Emotet closely to see how this threat continues to evolve; it’s come far from the days when it was a simple banking trojan. In the meantime, ensure you’re protecting yourself.

Please note: botnets are dynamic by nature, therefore other measurement may differ.

Spamhaus Information

Press Office
Spamhaus News Index
Spamhaus in the media
About Spamhaus
Spamhaus Official Statements
Article Information

Permanent link to this news article:
Estimating Emotet’s size and reach

Subscribe to RSS News Feed
Spamhaus News Quotes

Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.
© 1998-2021 The Spamhaus Project SLU. All rights reserved.
Legal  |  Privacy