The law enforcement and judicial authorities globally have geared up to takedown the infamous email spam botnet Emotet from all infected devices using a malware module. The Emotet botnet is responsible for various malware campaigns affecting multiple organizations over the years across the globe. The operators behind Emotet malware are used to sending millions of spam emails with malicious attachments to infect victims’ devices. The notorious malware, which wreaked havoc in the last seven years, is also linked to various other botnet-based cyber campaigns delivering malicious payloads like TrickBot and Ryuk ransomware by renting its botnet to other cybercriminal groups.
The Takedown of Emotet
The takedown of Emotet is the result of an international coordinated action performed in January 2021, which disrupted Emotet’s malicious operations. The operation was a collaborative effort between authorities in the Netherlands, Europe, Germany, the U.S., the U.K., France, Lithuania, Canada, and Ukraine, and carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).
Emotet Uninstaller Module
The law enforcement authorities distributed a new Emotet module in the form of a 32-bit EmotetLoader.dll to the users of all infected computers to automatically uninstall the malware. “The version with the uninstaller is now pushed via channels that were meant to distribute the original Emotet. Although currently the deletion routine won’t be called yet, the infrastructure behind Emotet is already controlled by law enforcement, so the bots are not able to perform their malicious action. For victims with an existing Emotet infection, the new version will come as an update, replacing the former one. This is how it will be aware of its installation paths and able to clean itself once the deadline has passed,” Malwarebytes said.
According to Malwarebytes security researcher Jérôme Segura, the uninstaller module deletes the services associated with Emotet, deletes the run key, and moves the file to %temp%, and then exits the process, without disturbing other operations on the infected devices.
#Emotet uninstall routine tested via date hack (system clock changed to sometime after April 25).
– Deletes the service
– Deletes the run key
– Attempts (but fails) to move file to %temp%
– Exits the process
👉Emotet is now disabled
— Jérôme Segura (@jeromesegura) January 31, 2021
Several industry experts stated that the successful removal of Emotet malware will help various organizations and over a million infected systems. “Pushing code via a botnet, even with good intentions, has always been a thorny topic mainly because of the legal ramifications such actions imply. The lengthy delay for the cleanup routine to activate may be explained by the need to give system administrators time for forensics analysis and checking for other infections,” Malwarebytes added.