Where is Emotet? Latest geolocation data

Emotet is an old malware threat that continues to affect many users and companies around the world. Once a machine has been infected, a number of things can happen—but typically, new malware is deployed and credentials are stolen.

Emotet’s business model is based on distribution groups – the stolen credentials are necessary for future distribution campaigns, but the threat actor can also use these credentials to access emails and carry out other malicious activity, such as extracting new email addresses from the contacts or reading previous emails. Once Emotet has stolen the sensitive information from the infected machine, it is capable of deploying other types of malware, such as Panda Banker, Qakbot or IcedID, which can extract money from bank accounts.

What the data says

After compiling approximately one year’s worth of geolocation data, we have observed that some countries are more seriously affected by the malware than others. The USA, UK and (occasionally) India are those countries most highly targeted by credential grabbing threat actors. However, Germany, Argentina, South Africa and Chile are all notable targets too. Concerningly, 1.5% of the total affected users globally appear to be from governmental entities.

Distribution geolocation

Emotet is a global issue, as displayed on the heatmap below.

Top 10 countries affected:

  1. USA
  2. Germany
  3. Mexico
  4. United Kingdom
  5. Argentina
  6. South Africa
  7. Chile
  8. Colombia
  9. India
  10. Canada

How threat actors are distributing Emotet

Threat actors behind the distribution are using different techniques in each campaign. For example, they might include malicious URLs from where the malware is downloaded, as seen in the following image:

Alternatively, in similar campaigns, threat actors may attach infected documents with long passwords to avoid detection by security filters, as seen in the example below:

Our detection of Emotet samples has not slowed. In fact, distribution is becoming even more aggressive having tripled over the past year. We continue to track the malware and process using our unique sandbox. Join the Blueliv Threat Exchange Network today for access, and get the latest news and views from Blueliv analysts and our industry colleagues.









This blog post was authored by Blueliv Labs Team.

Dark Commerce

Exploring the cybercrime industry and its business models: part 1

Read free report
Demo Free Trial MSSP