End of An Era: Emotet Malware Uninstalled from All Infected Devices
The Uninstalling Was Possible Thanks to the Help of a Malware Module Delivered Back in January by Law Enforcement.
As of January 27th, 2021, Emotet botnet’s infrastructure has been taken down, effectively disrupting the spread of Emotet malware. This result was achieved as part of an international coordinated operation led by Europol and Eurojust. Law enforcement agencies from all across Europe, including Germany, Ukraine, France, Lithuania, the Netherlands, and the UK collaborated with authorities from the United States to take control of the cybercrime rink’s zombie computer servers.
After gaining control of Emotet server earlier in the same week, law enforcement managed to take down the entire botnet.
According to Europol,
The infrastructure that was used by EMOTET involved several hundreds of servers located across the world, all of these having different functionalities in order to manage the computers of the infected victims, to spread to new ones, to serve other criminal groups, and to ultimately make the network more resilient against takedown attempts. The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.
Three months later, on April 25th, Emotet was uninstalled from all infected devices with the help of the malware module delivered in January.
Emotet belonged to the malware strain known as banking Trojans. It mainly spread via malspam (spam emails that contain malware). These messages often contained familiar branding, mimicking the email format of well-known and trusted companies such as PayPal or DHL to convince users.
Emotet was used by criminal entity Mummy Spider to deploy second-stage malware payloads onto its victims’ infected computers. Mummy Spider’s attacks covered a range of attack tactic expertise, from ransomware, to point of sale, to banking trojans. These often led to complete network compromise and the deployment of ransomware payloads on all infected systems, including QBot’s ProLock or Egregor, and TrickBot’s Ryuk and Conti.
According to BleepingComputer, after the takedown operation, law enforcement pushed a new configuration to active Emotet infections so that the malware would begin to use command and control servers controlled by Germany’s federal police agency, the Bundeskriminalamt.
A new Emotet module was then distributed in the form of a 32-bit EmotetLoader.dll to all infected systems that will automatically uninstall the malware on April 25th, 2021.
After analyzing the uninstaller module delivered by law enforcement to Emotet servers, Malwarebytes security researchers Jérôme Segura and Hasherezade explained in a blog post that it only deletes associated Windows services, autoruns Registry keys, and then exits the process, leaving everything else on the infected devices unaltered.
#Emotet uninstall routine tested via date hack (system clock changed to sometime after April 25).
– Deletes the service
– Deletes the run key
– Attempts (but fails) to move file to %temp%
– Exits the process
👉Emotet is now disabled
— Jérôme Segura (@jeromesegura) January 31, 2021
In a press release dating January 28th, the US Department of Justice (DOJ) confirmed that the Bundeskriminalamt pushed the uninstaller module to Emotet-infected computers.
Foreign law enforcement, working in collaboration with the FBI, replaced Emotet malware on servers located in their jurisdiction with a file created by law enforcement, according to the affidavit. This was done with the intent that computers in the United States and elsewhere that were infected by the Emotet malware would download the law enforcement file during an already-programmed Emotet update. (…) The scope of this law enforcement action was limited to the information installed on infected computers by the Emotet operators and did not extend to the information of the owners and users of the computers.
The Bundeskriminalamt told BleepingComputer that the reason for the uninstalling delay was the collecting of evidence and cleaning the machines of the malware.