Recent spam campaigns from Emotet featured sextortion content very similar to emails previously sent by the Necurs botnet. However, Emotet spam ended up netting 10 times the amount that a comparable Necurs campaign did — within a matter of six hours.

Why was Emotet so much more successful with the same type of ploy? Two factors played into this.

First, Emotet infects users at work, versus Necurs, which typically goes to people’s webmail addresses. Getting an extortion email at work might be placing a lot more pressure on recipients; if they fall for the scam, they must pay up before their employers get caught in the crosshairs. Some of the email samples we looked at featured sextortion, which would instill additional embarrassment and fear in potential victims, pushing them to pay to make the problem go away.

In the sample below, the email begins with a supposed reply chain to an invoice delivery and then goes into the attackers claiming to have compromised the recipient’s company’s support address. After some detail about that, it moves into sextortion content. Visual Unicode spoofing is likely used to evade filters that focus on keywords.

Figure 1: Emotet malspam features sextortion content but also infects readers with its payload (Source: IBM X-Force)

Another factor that likely helped Emotet net more money was that it charged Bitcoin, which carries a higher value than the Dashcoins that Necurs spam demanded.

Adding Insult to Injury

The new campaigns in which Emotet extorts email recipients do not end with the payment — they continue to infect the victim with the Emotet Trojan. It is likely that this campaign tool is part of what Emotet sells to other gangs, enabling them to use its infrastructure for cybercriminal activities.

Emotet has been increasing its activity lately, appearing more often in spam campaigns that go beyond the usual malware infection goal. With most groups moving away from using the Necurs botnet, Emotet has been trying its hand at sextortion scams, making money in the process of spreading spam and its own infections across the globe.

Since sextortion campaigns have been somewhat of a Necurs specialty in the past two years, X-Force researchers who looked into Emotet sextortion campaigns have compared them with similar Necurs campaigns. Then, following the cryptocurrency addresses the spammers used, we calculated the approximate amount of money each one generated. Interestingly, Emotet spam netted over 10 times what a large Necurs campaign netted using the same theme, all within a mere six hours.

Necurs Dashes for Dashcoin

The Necurs campaign we used in this comparison was a rather peculiar case of a campaign likely gone awry. It was very lengthy, unlike any other Necurs campaigns, and, according to X-Force research, lasted seven weeks, sending millions of spam emails per day. A day after the publication of information about that Necurs J38 campaign, Necurs’ operators, who likely did not know this was going on, shut down the entire operation and the mail flow went from millions of emails per day to zero emails within that one day.

By December 3, 2019, the J38 campaign netted Necurs about $4,527. Within a month, the Dashcoin cryptocurrency almost doubled in value.

Figure 2: Dashcoin wallet contents used in Necurs sextortion campaign J38 (Source: IBM X-Force)

Emotet Bids for Bitcoin

A week-long campaign by Emotet combined a scam with the additional hit of infecting recipients with malware. Between January 23 and January 28, 2020, the campaign used 24 different Bitcoin wallets in the emails sent to potential victims. Except for one address, all wallets were active in receiving payments, with amounts ranging from a few hundred to over $10,000 in each wallet. The campaign’s total was $57,000, over 10 times more than the longer-term campaign run by the Necurs botnet.

Figure 3: Illicit profits from Emotet sextortion campaign (Source: IBM X-Force)

Emotet Rising in 2020

2020 has kicked off with a lot of new activity from the Emotet botnet. Some of the campaigns our team has found include targeted SMiShing, spam, extortion and more typical infections that deliver other sophisticated malware.

The Emotet botnet, believed to be operated by a group that calls itself “Mealybug,” started out around 2014 and was based on the code of a banking Trojan that was then known as “Bugat.” Emotet was one of the major versions of Bugat, the same codebase that is also the basis of the Dridex Trojan.

In its earlier days, Emotet itself was a banking Trojan, mostly targeting victims in Germany and other parts of Europe. Over time, Mealybug changed the botnet’s vocation and geotargeting, gradually becoming the prominent targeted-access provider for other elite malware gangs with a botnet largely focused on systems in the U.S.

In recent years, Mealybug has been using Emotet to help banking Trojans like QakBot, IcedID, TrickBot and some ransomware variants to get into company networks by using existing footholds they already have, its propagation techniques and creating new infections via targeted spam tactics. This has also meant expanding its attack turf from focusing on North America to around the world, including ongoing campaigns in Japan.

One of the most recent Emotet campaigns that targeted Japanese email recipients used compromised emails concerning the spread of Coronavirus, scaring potential victims into opening malicious attachments that unleash its infection routine.

Emotet’s High Conversion Rates

Why go to Emotet for what would appear to be a much humbler spamming ability? It’s all about conversion rates — how many attempts result in infection. With classic botnet spam, those percentages can be rather low. With targeted spam on already compromised assets, that’s almost a guaranteed infection. This strategy is in line with the narrowing focus of all cybercrime actors in the past two years, concerned more about larger bounties than collecting smaller amounts from a larger number of victims.

Tips for Keeping Emotet Out of Your Networks

Keeping sophisticated, self-propagating malware out of enterprise networks can be a bit of a challenge, but there are some tips that can help teams reduce the risk of infection, including:

  • Develop an incident response plan that corresponds with a threat like Emotet. Since this malware can usher in a widespread ransomware attack, your teams will have to escalate quickly, contain and remedy before further damage can take place. Alternatively, organizations can leverage third-party incident response services.
  • Educate users about threats like Emotet and its specific tactics of inserting itself into conversations to lure email recipients into opening attachments.
  • Ensure systems are patched on time.
  • Update endpoint detection and response (EDR) systems and anti-virus solutions deployed throughout your environment.
  • Segregate networks to limit the reach of self-propagating malware.
  • Review privileged access and privileged users to enforce least privilege principles.
  • Keep up to date on blacklists of malicious IPs and compromised websites malware uses to spread.
  • Keep up to date on threat intelligence that can help you stay ahead of emerging campaigns and share among teams.
  • Mitigate the risk of infection with advanced malware protection.

For security incident emergencies, contact IBM X-Force at: U.S. hotline 1-888-241-9812 | Global hotline (+001) 602-220-1440

More from Malware

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today