Recent spam campaigns from Emotet featured sextortion content very similar to emails previously sent by the Necurs botnet. However, Emotet spam ended up netting 10 times the amount that a comparable Necurs campaign did — within a matter of six hours.

Why was Emotet so much more successful with the same type of ploy? Two factors played into this.

First, Emotet infects users at work, versus Necurs, which typically goes to people’s webmail addresses. Getting an extortion email at work might be placing a lot more pressure on recipients; if they fall for the scam, they must pay up before their employers get caught in the crosshairs. Some of the email samples we looked at featured sextortion, which would instill additional embarrassment and fear in potential victims, pushing them to pay to make the problem go away.

In the sample below, the email begins with a supposed reply chain to an invoice delivery and then goes into the attackers claiming to have compromised the recipient’s company’s support address. After some detail about that, it moves into sextortion content. Visual Unicode spoofing is likely used to evade filters that focus on keywords.

Figure 1: Emotet malspam features sextortion content but also infects readers with its payload (Source: IBM X-Force)

Another factor that likely helped Emotet net more money was that it charged Bitcoin, which carries a higher value than the Dashcoins that Necurs spam demanded.

Adding Insult to Injury

The new campaigns in which Emotet extorts email recipients do not end with the payment — they continue to infect the victim with the Emotet Trojan. It is likely that this campaign tool is part of what Emotet sells to other gangs, enabling them to use its infrastructure for cybercriminal activities.

Emotet has been increasing its activity lately, appearing more often in spam campaigns that go beyond the usual malware infection goal. With most groups moving away from using the Necurs botnet, Emotet has been trying its hand at sextortion scams, making money in the process of spreading spam and its own infections across the globe.

Since sextortion campaigns have been somewhat of a Necurs specialty in the past two years, X-Force researchers who looked into Emotet sextortion campaigns have compared them with similar Necurs campaigns. Then, following the cryptocurrency addresses the spammers used, we calculated the approximate amount of money each one generated. Interestingly, Emotet spam netted over 10 times what a large Necurs campaign netted using the same theme, all within a mere six hours.

Necurs Dashes for Dashcoin

The Necurs campaign we used in this comparison was a rather peculiar case of a campaign likely gone awry. It was very lengthy, unlike any other Necurs campaigns, and, according to X-Force research, lasted seven weeks, sending millions of spam emails per day. A day after the publication of information about that Necurs J38 campaign, Necurs’ operators, who likely did not know this was going on, shut down the entire operation and the mail flow went from millions of emails per day to zero emails within that one day.

By December 3, 2019, the J38 campaign netted Necurs about $4,527. Within a month, the Dashcoin cryptocurrency almost doubled in value.

Figure 2: Dashcoin wallet contents used in Necurs sextortion campaign J38 (Source: IBM X-Force)

Emotet Bids for Bitcoin

A week-long campaign by Emotet combined a scam with the additional hit of infecting recipients with malware. Between January 23 and January 28, 2020, the campaign used 24 different Bitcoin wallets in the emails sent to potential victims. Except for one address, all wallets were active in receiving payments, with amounts ranging from a few hundred to over $10,000 in each wallet. The campaign’s total was $57,000, over 10 times more than the longer-term campaign run by the Necurs botnet.

Figure 3: Illicit profits from Emotet sextortion campaign (Source: IBM X-Force)

Emotet Rising in 2020

2020 has kicked off with a lot of new activity from the Emotet botnet. Some of the campaigns our team has found include targeted SMiShing, spam, extortion and more typical infections that deliver other sophisticated malware.

The Emotet botnet, believed to be operated by a group that calls itself “Mealybug,” started out around 2014 and was based on the code of a banking Trojan that was then known as “Bugat.” Emotet was one of the major versions of Bugat, the same codebase that is also the basis of the Dridex Trojan.

In its earlier days, Emotet itself was a banking Trojan, mostly targeting victims in Germany and other parts of Europe. Over time, Mealybug changed the botnet’s vocation and geotargeting, gradually becoming the prominent targeted-access provider for other elite malware gangs with a botnet largely focused on systems in the U.S.

In recent years, Mealybug has been using Emotet to help banking Trojans like QakBot, IcedID, TrickBot and some ransomware variants to get into company networks by using existing footholds they already have, its propagation techniques and creating new infections via targeted spam tactics. This has also meant expanding its attack turf from focusing on North America to around the world, including ongoing campaigns in Japan.

One of the most recent Emotet campaigns that targeted Japanese email recipients used compromised emails concerning the spread of Coronavirus, scaring potential victims into opening malicious attachments that unleash its infection routine.

Emotet’s High Conversion Rates

Why go to Emotet for what would appear to be a much humbler spamming ability? It’s all about conversion rates — how many attempts result in infection. With classic botnet spam, those percentages can be rather low. With targeted spam on already compromised assets, that’s almost a guaranteed infection. This strategy is in line with the narrowing focus of all cybercrime actors in the past two years, concerned more about larger bounties than collecting smaller amounts from a larger number of victims.

Tips for Keeping Emotet Out of Your Networks

Keeping sophisticated, self-propagating malware out of enterprise networks can be a bit of a challenge, but there are some tips that can help teams reduce the risk of infection, including:

  • Develop an incident response plan that corresponds with a threat like Emotet. Since this malware can usher in a widespread ransomware attack, your teams will have to escalate quickly, contain and remedy before further damage can take place. Alternatively, organizations can leverage third-party incident response services.
  • Educate users about threats like Emotet and its specific tactics of inserting itself into conversations to lure email recipients into opening attachments.
  • Ensure systems are patched on time.
  • Update endpoint detection and response (EDR) systems and anti-virus solutions deployed throughout your environment.
  • Segregate networks to limit the reach of self-propagating malware.
  • Review privileged access and privileged users to enforce least privilege principles.
  • Keep up to date on blacklists of malicious IPs and compromised websites malware uses to spread.
  • Keep up to date on threat intelligence that can help you stay ahead of emerging campaigns and share among teams.
  • Mitigate the risk of infection with advanced malware protection.

For security incident emergencies, contact IBM X-Force at: U.S. hotline 1-888-241-9812 | Global hotline (+001) 602-220-1440

More from Malware

ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

7 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read