A specially crafted update created by Germany's Bundeskriminalamt (BKA) federal police agency created and pushed the uninstall update. European law enforcement has triggered the process of removing the Emotet botnet malware from 1.6 million infected computers around the world. Emotet was thought to be the world's largest botnet, known for spewing millions of malware-laden spam emails each day. Law enforcement in the US, Canada and Europe conducted a coordinated takedown of Emotet infrastructure in January to rid the web of one of its worst menaces, which was used to spread banking trojans, remote access tools, and ransomware.
Part of the action involved law enforcement commandeering Emotet's command and control (C2) infrastructure to prevent its operators from using the botnet to spread more malware. As reported by ZDNet in January, law enforcement in the Netherlands took control of two of Emotet's three-tier C2 servers.
Emotet is a malware strain and a cybercrime operation believed to be based in Russia. The malware, also known as Heodo, was first detected in 2014 and deemed one of the most prevalent threats of the decade. Emotet uses functionality that helps the software evade detection by some anti-malware products. Emotet uses worm-like capabilities to help spread to other connected computers. This helps in distribution of the malware. This functionality has led the Department of Homeland Security to <a href="https://www.us-cert.gov/ncas/alerts/TA18-201A"target="_blank" rel="nofollow">conclude</a> that Emotet is one of the most costly and destructive malware, affecting government and private sectors, individuals and organizations, and costing upwards of $1M per incident to clean up.
"Law enforcement officials will deliver an Emotet update, "EmotetLoader.dll" file, which will remove the malware from all infected devices. The run key in the Windows registry of infected devices will be removed to ensure that Emotet modules are no longer started automatically and all servers running Emotet processes are terminated," said security company Redscan. "However, it is important to note that the switch-off does not remove other malware installed on infected devices via Emotet, nor malware from other sources," it added.
The cybersecurity firm Malwarebytes has now analyzed the law enforcement Emotet uninstaller. Essentially, law enforcement used Emotet's botnet infrastructure to dismantle the malware. "The uninstall routine itself is very simple. It deletes the service associated with Emotet, deletes the run key, attempts (but fails) to move the file to %temp% and then exits the process," note the researchers.
See our earlier article HERE
Despite the error in the law enforcement code, they add that the Emotet malware "has been neutered and is harmless since it won't run as its persistence mechanisms have been removed."
According to an FBI press release in January 2021, an FBI investigator's affidavit stated that: "foreign law enforcement agents, working in coordination with the FBI, gained lawful access to Emotet servers located overseas and identified the Internet Protocol addresses of approximately 1.6 million computers worldwide that appear to have been infected with Emotet malware between 01 April 2020, and 17 January 2021."
Over 45,000 of the infected computers appeared to have been located in the United States. "Foreign law enforcement, working in collaboration with the FBI, replaced Emotet malware on servers located in their jurisdiction with a file created by law enforcement," the FBI said. This was done with the intent that computers in the United States and elsewhere that were infected by the Emotet malware would download the law enforcement file during an already-programmed Emotet update.
"The law enforcement file prevents the administrators of the Emotet botnet from further communicating with infected computers. The law enforcement file does not remediate other malware that was already installed on the infected computer through Emotet; instead, it is designed to prevent additional malware from being installed on the infected computer by untethering the victim computer from the botnet."
Red Sky Alliance has been has analyzing and documenting cyber threats and groups for over 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Many past tactics are reused in current malicious campaigns.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
TR-21-124-002_End_of_Emotet.pdf
Comments