on

Where is Emotet? Latest geolocation data

Emotet is an old malware threat that continues to affect many users and companies around the world. Once a machine has been infected, a number of things can happen—but typically, new malware is deployed and credentials are stolen.

Emotet’s business model is based on distribution groups – the stolen credentials are necessary for future distribution campaigns, but the threat actor can also use these credentials to access emails and carry out other malicious activity, such as extracting new email addresses from the contacts or reading previous emails. Once Emotet has stolen the sensitive information from the infected machine, it is capable of deploying other types of malware, such as Panda Banker, Qakbot or IcedID, which can extract money from bank accounts.

What the data says

After compiling approximately one year’s worth of geolocation data, we have observed that some countries are more seriously affected by the malware than others. The USA, UK and (occasionally) India are those countries most highly targeted by credential grabbing threat actors. However, Germany, Argentina, South Africa and Chile are all notable targets too. Concerningly, 1.5% of the total affected users globally appear to be from governmental entities.

Distribution geolocation

Emotet is a global issue, as displayed on the heatmap below.

Top 10 countries affected:

  1. USA
  2. Germany
  3. Mexico
  4. United Kingdom
  5. Argentina
  6. South Africa
  7. Chile
  8. Colombia
  9. India
  10. Canada

How threat actors are distributing Emotet

Threat actors behind the distribution are using different techniques in each campaign. For example, they might include malicious URLs from where the malware is downloaded, as seen in the following image:

Alternatively, in similar campaigns, threat actors may attach infected documents with long passwords to avoid detection by security filters, as seen in the example below:

Our detection of Emotet samples has not slowed. In fact, distribution is becoming even more aggressive having tripled over the past year. We continue to track the malware and process using our unique sandbox. Join the Blueliv Threat Exchange Network today for access, and get the latest news and views from Blueliv analysts and our industry colleagues.

IOCs:

Emails:

88fef982054815e45641c96fe1f2624e97d85a4386ba3dc43c83664db6d5cfe3
287d05c779c06c8728fca7751de1a0d424dd783cefbcc0f798e593b20590341e

URLs:

hxxps://iqbaldbn[.]me/wp/Tobk-7yX2IL6yQVBpQQ4_HqPclVLT-ZHo/

Emotet:

481b41280f30a18752b57cadd7309248519d839d6cd098a7922af2d570fab1b6

 

This blog post was authored by Blueliv Labs Team.

Demo Free Trial Community Newsletter