Recent spam campaigns from Emotet featured sextortion content very similar to emails previously sent by the Necurs botnet. However, Emotet spam ended up netting 10 times the amount that a comparable Necurs campaign did — within a matter of six hours.

Why was Emotet so much more successful with the same type of ploy? Two factors played into this.

First, Emotet infects users at work, versus Necurs, which typically goes to people’s webmail addresses. Getting an extortion email at work might be placing a lot more pressure on recipients; if they fall for the scam, they must pay up before their employers get caught in the crosshairs. Some of the email samples we looked at featured sextortion, which would instill additional embarrassment and fear in potential victims, pushing them to pay to make the problem go away.

In the sample below, the email begins with a supposed reply chain to an invoice delivery and then goes into the attackers claiming to have compromised the recipient’s company’s support address. After some detail about that, it moves into sextortion content. Visual Unicode spoofing is likely used to evade filters that focus on keywords.

Figure 1: Emotet malspam features sextortion content but also infects readers with its payload (Source: IBM X-Force)

Another factor that likely helped Emotet net more money was that it charged Bitcoin, which carries a higher value than the Dashcoins that Necurs spam demanded.

Adding Insult to Injury

The new campaigns in which Emotet extorts email recipients do not end with the payment — they continue to infect the victim with the Emotet Trojan. It is likely that this campaign tool is part of what Emotet sells to other gangs, enabling them to use its infrastructure for cybercriminal activities.

Emotet has been increasing its activity lately, appearing more often in spam campaigns that go beyond the usual malware infection goal. With most groups moving away from using the Necurs botnet, Emotet has been trying its hand at sextortion scams, making money in the process of spreading spam and its own infections across the globe.

Since sextortion campaigns have been somewhat of a Necurs specialty in the past two years, X-Force researchers who looked into Emotet sextortion campaigns have compared them with similar Necurs campaigns. Then, following the cryptocurrency addresses the spammers used, we calculated the approximate amount of money each one generated. Interestingly, Emotet spam netted over 10 times what a large Necurs campaign netted using the same theme, all within a mere six hours.

Necurs Dashes for Dashcoin

The Necurs campaign we used in this comparison was a rather peculiar case of a campaign likely gone awry. It was very lengthy, unlike any other Necurs campaigns, and, according to X-Force research, lasted seven weeks, sending millions of spam emails per day. A day after the publication of information about that Necurs J38 campaign, Necurs’ operators, who likely did not know this was going on, shut down the entire operation and the mail flow went from millions of emails per day to zero emails within that one day.

By December 3, 2019, the J38 campaign netted Necurs about $4,527. Within a month, the Dashcoin cryptocurrency almost doubled in value.

Figure 2: Dashcoin wallet contents used in Necurs sextortion campaign J38 (Source: IBM X-Force)

Emotet Bids for Bitcoin

A week-long campaign by Emotet combined a scam with the additional hit of infecting recipients with malware. Between January 23 and January 28, 2020, the campaign used 24 different Bitcoin wallets in the emails sent to potential victims. Except for one address, all wallets were active in receiving payments, with amounts ranging from a few hundred to over $10,000 in each wallet. The campaign’s total was $57,000, over 10 times more than the longer-term campaign run by the Necurs botnet.

Figure 3: Illicit profits from Emotet sextortion campaign (Source: IBM X-Force)

Emotet Rising in 2020

2020 has kicked off with a lot of new activity from the Emotet botnet. Some of the campaigns our team has found include targeted SMiShing, spam, extortion and more typical infections that deliver other sophisticated malware.

The Emotet botnet, believed to be operated by a group that calls itself “Mealybug,” started out around 2014 and was based on the code of a banking Trojan that was then known as “Bugat.” Emotet was one of the major versions of Bugat, the same codebase that is also the basis of the Dridex Trojan.

In its earlier days, Emotet itself was a banking Trojan, mostly targeting victims in Germany and other parts of Europe. Over time, Mealybug changed the botnet’s vocation and geotargeting, gradually becoming the prominent targeted-access provider for other elite malware gangs with a botnet largely focused on systems in the U.S.

In recent years, Mealybug has been using Emotet to help banking Trojans like QakBot, IcedID, TrickBot and some ransomware variants to get into company networks by using existing footholds they already have, its propagation techniques and creating new infections via targeted spam tactics. This has also meant expanding its attack turf from focusing on North America to around the world, including ongoing campaigns in Japan.

One of the most recent Emotet campaigns that targeted Japanese email recipients used compromised emails concerning the spread of Coronavirus, scaring potential victims into opening malicious attachments that unleash its infection routine.

Emotet’s High Conversion Rates

Why go to Emotet for what would appear to be a much humbler spamming ability? It’s all about conversion rates — how many attempts result in infection. With classic botnet spam, those percentages can be rather low. With targeted spam on already compromised assets, that’s almost a guaranteed infection. This strategy is in line with the narrowing focus of all cybercrime actors in the past two years, concerned more about larger bounties than collecting smaller amounts from a larger number of victims.

Tips for Keeping Emotet Out of Your Networks

Keeping sophisticated, self-propagating malware out of enterprise networks can be a bit of a challenge, but there are some tips that can help teams reduce the risk of infection, including:

  • Develop an incident response plan that corresponds with a threat like Emotet. Since this malware can usher in a widespread ransomware attack, your teams will have to escalate quickly, contain and remedy before further damage can take place. Alternatively, organizations can leverage third-party incident response services.
  • Educate users about threats like Emotet and its specific tactics of inserting itself into conversations to lure email recipients into opening attachments.
  • Ensure systems are patched on time.
  • Update endpoint detection and response (EDR) systems and anti-virus solutions deployed throughout your environment.
  • Segregate networks to limit the reach of self-propagating malware.
  • Review privileged access and privileged users to enforce least privilege principles.
  • Keep up to date on blacklists of malicious IPs and compromised websites malware uses to spread.
  • Keep up to date on threat intelligence that can help you stay ahead of emerging campaigns and share among teams.
  • Mitigate the risk of infection with advanced malware protection.

For security incident emergencies, contact IBM X-Force at: U.S. hotline 1-888-241-9812 | Global hotline (+001) 602-220-1440

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today