Subscribe to RSS News Feed
About Spamhaus  |  Press Office  |  FAQs   

Estimating Emotet’s size and reach

2019-12-12 16:26:00 UTC   |   by Spamhaus Malware Labs   |   Category:  malware, cybercrime, botnets, emotet
Recent News Articles

Amazon Web Services - thwarting spam with a decade-old best practice

Spamhaus Botnet Threat Report 2019

Bulletproof hosting – there’s a new kid in town

Estimating Emotet’s size and reach

Spamhaus Botnet Threat Update: Q3-2019

Spamhaus DNSBL return codes: technical update

Enable badness and the stats will speak for themselves

MTA developers: allow use of domain DNSBLs at the SMTP level


Older News Articles:
Spamhaus News INDEX

As many of you will be aware, Emotet, one of the most dangerous botnets in operation, restarted its malicious activity on 16th September 2019. Since its resurgence, Spamhaus Malware Labs has been closely monitoring and studying Emotet’s activity. Here’s what we’ve uncovered...

Change in Emotet’s behavior

One of the most noticeable changes that we observed over the past three months was that Emotet had predominantly spammed Microsoft Office documents containing malicious macros. This differed significantly from its old modus operandi of mixing both infected Office documents and URLs in its malware campaigns.

We found this rather odd, as most anti-spam solutions these days tend to block or quarantine, by default, all Office documents that include macros with suspicious functions like CreateProcess, ShellExecute, etc. We initially deduced from this change in behavior that the cyber-criminals using Emotet considered this to be the most cost-effective solution. However, over the past few days (approximately 6th December 2019), we are once again observing the inclusion of malware URLs. Perhaps those anti-spam solutions were proving too efficient at blocking the macro-enabled MS Office documents?

Emotet email volume and corresponding attachments

The period of our detailed observation commenced on 9th October 2019 and ended on 7th December 2019. It focuses on the spamming part of Emotet; therefore, our deductions relating to size only apply to this part of the botnet. We suspect the overall size to be much greater, as it would include dormant infected machines i.e., those machines which aren’t spamming.

The following graph shows the number of emails detected per day (divided per Emotet epoch).

Emotet Email Volume

The above data infers that Emotet started slowly during its first few weeks back, before ramping up to its highest volumes in the week commencing Mon 18th November 2019. However, the variance in the number of unique file attachments did not change relative to the volumes. It is worth noting that over the final few weeks of this reporting period, Emotet started working on Saturdays too, albeit at very low volumes.

This next graph shows how many distribution URLs, compared to distinct attachments, we have observed. Please note that when we refer to “distinct attachment,” we mean only that the file checksum was different, not that the distribution URL was also different, as files with different checksums would often use the same distribution URL.

Emotet Distincts Attachments

Take a look at the spike in distribution URLs on 6th December 2019; this corresponds with Emotet restarting spamming malware URLs directly through emails, as referred to earlier.

Emotet recipient frequency

Now, let’s analyze how efficient Emotet is in targeting unsuspecting victims. We already know that Emotet exfiltrates Outlook/Thunderbird address-books from infected machines, and also uses thread hijacking to try and lure targets into opening the attachment.

This graph shows how many separate recipients were detected, scaled to the total of email sent.

Emotet Distinct recipients

In our humble opinion, this is pretty impressive! Emotet sends one single email to each different recipient every day, with minimal overlap. This means that any individual recipient would most likely receive only one of Emotet’s emails per day; from a criminal’s perspective, this is positive, as being too ‘noisy’ can be dangerous.

A notable exception to the above was on 5th November 2019. On this date, we suspect that something probably went awry with Emotet, because two different infected emails were sent to almost every recipient.

Number of spamming IP addresses

Below the graph illustrates the daily distribution of unique spamming IP addresses we detected per Emotet epoch:

Emotet Distinct IP addresses

The largest peak we observed over this period was more than 18,000 unique malspamming IP addresses, which gives the operators a good IP and geo diversity.

From our observations, we suspect that epoch2 is the most populated part of the botnet, closely followed by epoch1, while epoch3 is still lagging in terms of reach.

More stats on Emotet

Last but not least, here are some global statistics on all the autonomous systems, countries and sent emails that we have detected over the observation period:

Total number of ASn detected:5.430
Total number of unique IPs detected:120.764
Total Countries participating:193
Total emails sent:10.935.346
Total distribution URLs:4.726
Distinct RCPTs targeted:8.052.961


Top 30 NetworksTop 30 Countries
PositionASnNo. of IPsPositionCountryNo. of IPs
1815191801MX11966
2478838782BR7691
3335234853ES7108
4538424874IN6550
54559523635ZA6154
6326921276IT6042
7413421087AR5172
84589919988MY5167
92456017659PK3864
1018881175910VN3634
113462166711US3525
127303154512TH3501
1337457140013CN3313
1412430128514CO2856
159121127915AE2841
167713124116TR2721
1722927122717ID2211
185713119518EC2157
1917552118619TW1832
206147112520PE1702
2128006110421CL1618
226400107922PH1412
2312479105123DE1307
2423969100324SA1286
2514754100025DO1189
26381690226SG1016
273072286927LK960
284575885828KR875
292857383129AU855
30932976730VE831

For SOCs, CERTs, and CSIRTs: Abuse.ch has some good tips for mitigation.

Spamhaus Malware Labs will continue to monitor Emotet closely to see how this threat continues to evolve; it’s come far from the days when it was a simple banking trojan. In the meantime, ensure you’re protecting yourself.

Please note: botnets are dynamic by nature, therefore other measurement may differ.



Spamhaus Information

Press Office
Spamhaus News Index
Spamhaus in the media
About Spamhaus
Spamhaus Official Statements
Article Information

Permanent link to this news article:
Estimating Emotet’s size and reach
http://www.spamhaus.org/news/article/791/estimating-emotets-size-and-reach

Subscribe to RSS News Feed
Spamhaus News Quotes

Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.
© 1998-2020 The Spamhaus Project SLU. All rights reserved.
Legal  |  Privacy