Emotet botnet self-destructed on all infected machines
Information security experts report that on April 25 a “time bomb” went off and the Emotet botnet self-destructed on all infected machines.This became possible as in January this year, Europol, the FBI and law enforcement agencies of many countries, including Canada, the Netherlands, France, Germany, Lithuania, Great Britain and Ukraine, conducted a large-scale coordinated operation to eliminate the Emotet botnet, preparations for which lasted two years.
Then law enforcement officers joined forces, and they managed to seize control over the Emotet infrastructure, disrupting its work. As a result, the criminals were no longer able to use the hacked machines, and the malware stopped spreading to new targets.
Moreover, law enforcement officers used their access to the Emotet control servers, which came under the control of the German Federal Criminal Police Office (Bundeskriminalamt), to deploy a special update to all infected hosts.
A new module for Emotet, created by Bundeskriminalamt specialists, was distributed to all infected systems in the form of a 32-bit file EmotetLoader.dll. This update contained a “time bomb”: a mechanism that was supposed to lead to the removal of Emotet from all infected machines on April 25, 2021 at 12:00 local time.
In January, Bundeskriminalamt officials told Bleeping Computer that the four-month delay was due to the collection of evidence:
“Identifying compromised systems is essential to collecting evidence, and it will also enable interested users to fully clean their systems to prevent further wrongdoing. For this, the communication parameters of the software were adjusted so that the victim’s systems were more able to interact with the infrastructure of the criminals, and worked with the infrastructure created to collect evidence.”
This “planned outage” should effectively eliminate Emotet, forcing malware operators to start over and giving IT staff around the world the ability to find and secure infected devices.
At the beginning of the year, Malwarebytes researchers took a close look at this module and how it works. They noticed that if you change the system time on the test machine and run the module, it only removed the associated Windows services, autorun keys from the registry, and then exits the process, leaving everything else intact on the compromised device.
“For this approach to be successful over time, it is important to follow these updates as closely as possible, and, if possible, to involve the law enforcement agencies, who should publish these updates in the open access, so analysts can be sure that something undesirable has not escaped [from removal]”, — said Malwarebytes experts.
Bleeping Computer notes that experts from the FBI, Europol and Bundeskriminalamt did not comment on April 25 and the removal of Emotet from infected systems. So far, law enforcement officers have refused to talk about this with media representatives.
Let’s remember that not only law enforcement and information security specialists fought against Emotet in their own way: Unknown hackers interfere in the work of the Emotet botnet by replacing malware with GIF files.