Emotet Stats

The Emotet gang's email lures, which takes advantage of current news events, seems to be quite convincing and successful at tricking quite a number of users. Just how successful are they? Let's have a look at the numbers behind their infections.

First, here's one of their latest malicious Word documents that's been making the rounds recently.

Dumping out the variable from the VBA macro reveals a PowerShell script.

Decoding the base64 portion of the script gives us the URLs used to pull down the EXE payload.

Here are the five URLs that this script is using.

We get the Emotet binary when we visit one of the URLs. Only one URL is active at the time of this writing.

Let's view the counts of this download. This tells us that there were only five downloads made to Windows machines. However, since the other URLs are down, I don't know how many downloads there were in total.

0 = Unknown
1 = Android
2 = Apple
3 = Linux
4 = Windows

The EXE file we get is flagged by only four AV's out of 71 and does appear to be Emotet.

Now let me step back to the beginning where we get the malicious Word document.

Based on these counts, we see that this document has been downloaded a whopping 987 times to Windows machines.

Using the data from urlhaus.abuse.ch, I selected only active URLs related to Emotet for the month of January. I pulled down only the headers to determine the file being downloaded from each URL then I downloaded the counts from the JSON file.

Here are the totals. In the month of January, there were 4.1 million DOC downloads to Windows machines (732K were downloaded from other device types). The averages are below which can be read as the number of downloads per URL.

Several caveats to mention here. A downloaded file doesn't mean it was opened, likewise, an EXE being downloaded doesn't mean the machine was infected. There were more URLs but they were not active when I started counting. Also, they were likely a good number of researchers and AV companies pulling down the files.

In any case, this should give us a good idea of the success of these campaigns which is both impressive and depressing -- 4,289 Emotet downloads to Windows machines per URL in January!

Posted on: 02/01/2020