Recent spam campaigns from Emotet featured sextortion content very similar to emails previously sent by the Necurs botnet. However, Emotet spam ended up netting 10 times the amount that a comparable Necurs campaign did — within a matter of six hours.
Why was Emotet so much more successful with the same type of ploy? Two factors played into this.
First, Emotet infects users at work, versus Necurs, which typically goes to people’s webmail addresses. Getting an extortion email at work might be placing a lot more pressure on recipients; if they fall for the scam, they must pay up before their employers get caught in the crosshairs. Some of the email samples we looked at featured sextortion, which would instill additional embarrassment and fear in potential victims, pushing them to pay to make the problem go away.
In the sample below, the email begins with a supposed reply chain to an invoice delivery and then goes into the attackers claiming to have compromised the recipient’s company’s support address. After some detail about that, it moves into sextortion content. Visual Unicode spoofing is likely used to evade filters that focus on keywords.
Figure 1: Emotet malspam features sextortion content but also infects readers with its payload (Source: IBM X-Force)
Another factor that likely helped Emotet net more money was that it charged Bitcoin, which carries a higher value than the Dashcoins that Necurs spam demanded.
Adding Insult to Injury
The new campaigns in which Emotet extorts email recipients do not end with the payment — they continue to infect the victim with the Emotet Trojan. It is likely that this campaign tool is part of what Emotet sells to other gangs, enabling them to use its infrastructure for cybercriminal activities.
Emotet has been increasing its activity lately, appearing more often in spam campaigns that go beyond the usual malware infection goal. With most groups moving away from using the Necurs botnet, Emotet has been trying its hand at sextortion scams, making money in the process of spreading spam and its own infections across the globe.
Since sextortion campaigns have been somewhat of a Necurs specialty in the past two years, X-Force researchers who looked into Emotet sextortion campaigns have compared them with similar Necurs campaigns. Then, following the cryptocurrency addresses the spammers used, we calculated the approximate amount of money each one generated. Interestingly, Emotet spam netted over 10 times what a large Necurs campaign netted using the same theme, all within a mere six hours.
Necurs Dashes for Dashcoin
The Necurs campaign we used in this comparison was a rather peculiar case of a campaign likely gone awry. It was very lengthy, unlike any other Necurs campaigns, and, according to X-Force research, lasted seven weeks, sending millions of spam emails per day. A day after the publication of information about that Necurs J38 campaign, Necurs’ operators, who likely did not know this was going on, shut down the entire operation and the mail flow went from millions of emails per day to zero emails within that one day.
By December 3, 2019, the J38 campaign netted Necurs about $4,527. Within a month, the Dashcoin cryptocurrency almost doubled in value.
Figure 2: Dashcoin wallet contents used in Necurs sextortion campaign J38 (Source: IBM X-Force)
Emotet Bids for Bitcoin
A week-long campaign by Emotet combined a scam with the additional hit of infecting recipients with malware. Between January 23 and January 28, 2020, the campaign used 24 different Bitcoin wallets in the emails sent to potential victims. Except for one address, all wallets were active in receiving payments, with amounts ranging from a few hundred to over $10,000 in each wallet. The campaign’s total was $57,000, over 10 times more than the longer-term campaign run by the Necurs botnet.
Figure 3: Illicit profits from Emotet sextortion campaign (Source: IBM X-Force)
Emotet Rising in 2020
2020 has kicked off with a lot of new activity from the Emotet botnet. Some of the campaigns our team has found include targeted SMiShing, spam, extortion and more typical infections that deliver other sophisticated malware.
The Emotet botnet, believed to be operated by a group that calls itself “Mealybug,” started out around 2014 and was based on the code of a banking Trojan that was then known as “Bugat.” Emotet was one of the major versions of Bugat, the same codebase that is also the basis of the Dridex Trojan.
In its earlier days, Emotet itself was a banking Trojan, mostly targeting victims in Germany and other parts of Europe. Over time, Mealybug changed the botnet’s vocation and geotargeting, gradually becoming the prominent targeted-access provider for other elite malware gangs with a botnet largely focused on systems in the U.S.
In recent years, Mealybug has been using Emotet to help banking Trojans like QakBot, IcedID, TrickBot and some ransomware variants to get into company networks by using existing footholds they already have, its propagation techniques and creating new infections via targeted spam tactics. This has also meant expanding its attack turf from focusing on North America to around the world, including ongoing campaigns in Japan.
One of the most recent Emotet campaigns that targeted Japanese email recipients used compromised emails concerning the spread of Coronavirus, scaring potential victims into opening malicious attachments that unleash its infection routine.
Emotet’s High Conversion Rates
Why go to Emotet for what would appear to be a much humbler spamming ability? It’s all about conversion rates — how many attempts result in infection. With classic botnet spam, those percentages can be rather low. With targeted spam on already compromised assets, that’s almost a guaranteed infection. This strategy is in line with the narrowing focus of all cybercrime actors in the past two years, concerned more about larger bounties than collecting smaller amounts from a larger number of victims.
Tips for Keeping Emotet Out of Your Networks
Keeping sophisticated, self-propagating malware out of enterprise networks can be a bit of a challenge, but there are some tips that can help teams reduce the risk of infection, including:
- Develop an incident response plan that corresponds with a threat like Emotet. Since this malware can usher in a widespread ransomware attack, your teams will have to escalate quickly, contain and remedy before further damage can take place. Alternatively, organizations can leverage third-party incident response services.
- Educate users about threats like Emotet and its specific tactics of inserting itself into conversations to lure email recipients into opening attachments.
- Ensure systems are patched on time.
- Update endpoint detection and response (EDR) systems and anti-virus solutions deployed throughout your environment.
- Segregate networks to limit the reach of self-propagating malware.
- Review privileged access and privileged users to enforce least privilege principles.
- Keep up to date on blacklists of malicious IPs and compromised websites malware uses to spread.
- Keep up to date on threat intelligence that can help you stay ahead of emerging campaigns and share among teams.
- Mitigate the risk of infection with advanced malware protection.
For security incident emergencies, contact IBM X-Force at: U.S. hotline 1-888-241-9812 | Global hotline (+001) 602-220-1440
Principal Consultant, X-Force Cyber Crisis Management, IBM