Thanks to Dancho Danchev, WhoisXML API’s DNS Threat Researcher for the original investigation available here which led to the creation of this post.

Emotet traces its origin as far back as 2014, when its simplest form as a banking Trojan first made the headlines. Over the years, its creators have constantly improved the malware, a popular malware-as-a-service (MaaS) offering in cybercriminal underground fora.

On 25 April 2021, law enforcement agents seized the botnet’s infrastructure and scheduled a mass uninstallation for all infected computers. But is the malware truly dead? This analytical post seeks to find out.

Has Emotet Finally Been Stopped?

For this short analysis of current Emotet botnet activity, we used 228 identified IP addresses as a starting point. Through reverse IP/DNS lookups, we found that these IP addresses resolved to 3,981 domains and 4,109 subdomains. Some or even all of these could be part of the Emotet botnet infrastructure.

To determine if any of the 3,981 domains obtained from reverse DNS searches remain active even after the takedown and purging of infections, we subjected them to screenshot lookups and found that:

• Around 16% of them were not reachable. These could have been taken down.
• Around 16% of them led to either blank, forbidden, or error pages.
• Around 2% of them were up for sale.
• Around 66% of them were still live but in various states. Some hosted websites while others were under construction or parked. These, especially the ones that looked like the pages of big name brands like WhatsApp, Akamai, and Amazon could be potentially used as phishing pages.

All in all, we can say that it’s possible that not all of the IP addresses and domains that are part of the Emotet botnet infrastructure have been shut down. Some of the web pages may still be up and running, putting users who visit them at risk of malware infection or, worse, identity and financial theft.

Note the use of legitimate domains as well for many of the subdomains. Examples of potentially abused domains include:

• whatsapp[.]net
• akamaitechnologies[.]com
• digicert[.]com
• amazonaws[.]com
• apple[.]com
• googleusercontent[.]com
• googlevideo[.]com
• android[.]com
• google[.]co[.]in
• vimeo[.]com

This strategy could be an evasion tactic that gets their phishing or malicious communications through to protected networks.

Several of the IP addresses resolved to the same domains, which could be indicative of their ties to the same network or, in this case, cybercriminal gang that runs the Emotet botnet.

A bulk IP geolocation lookup for the IP addresses revealed that:

• A huge majority of the IP address users (150) were located in the U.S.
• Iran (19 IP addresses), China (12), Germany (10), and France (9) rounded up the top 5 locations.

If the IP geolocation data is taken as is, we can infer that the Emotet botnet operators are mostly U.S.-based although the presence of IP addresses in at least 13 other countries could indicate a global operation.

Authorities who are part of the takedown operation could seek the help of the Internet service providers (ISPs) who assigned the IP addresses, which include:

• The IP addresses were distributed across 56 ISPs but a huge majority belonged to Google (74).
• The top 10 ISPs by number of IP addresses were Google (74) in first place; Cloudflare (23) in second place; Amazon (16) in third place; Akamai (15) in fourth place; Asiatech Data Transmission (13) in fifth place; Guangzhou NetEase Computer System (7) in sixth place; Fastly (6) in seventh place; China Mobile and Hetzner Online (5 each) tied in eighth place; Apple, MCI Communications Services, and OVH (4 each) tied in ninth place; and Alibaba (3) in tenth place.
• The remaining 49 IP addresses were managed by 42 different ISPs. Beijing Baidu Netcom Science and Technology, DigitalOcean, Level 3 Parent, NTT America, Quantil Networks, and Siber Systems owned two IP addresses each. A.P., Amen CloudDirect, Atrin Communications and Information Technology, Dade Samane Fanava, Reg.ru, Edgecast, Eniseynet, Equinix, Facebook, Free SAS, GMO Internet, GoDaddy, Highwinds Network Group, Hostinger International, Incapsula, Internap Holding, LeaseWeb Netherlands, Loopback, Microsoft, Nazhin Sepahan IT and Data Processing, Netcup, NIC-Hosting, NRP Network, Paris Quentin, Pars Parva System, PDR, Republican Unitary Telecommunication Enterprise, SASU SYNPSH, Simply Transit, Sindad Network Technology, Snel.com, StackPath, UKFast.net, Vira Tadbir Rayan, Waycom International, and Wikia operated one IP address each.

The ISPs identified above could help with takedowns if the sites that are part of the Emotet botnet are still up and running.

Domain and IP intelligence can help cybersecurity specialists dig deeper into the ties that bind IoCs pertaining to the large-scale operation of threats like Emotet.

If you wish to get the entire list of artifacts we uncovered from our short analysis of the Emotet botnet featured in this post, don’t hesitate to contact us. We’re always open to working with fellow researchers.