Emotet malware self-destructs after cops deliver time-bomb DLL to infected Windows PCs

Uninstall code, distributed from backend servers seized in January, fired on Sunday


Notorious Windows malware Emotet was automatically wiped from computers yesterday by European law enforcement using a customized DLL.

This specially crafted time bomb caused the software to self-destruct on Sunday, April 25. The code was distributed at the end of January to Emotet-infected computers by the malware's command-and-control (C2) infrastructure, which had just been seized in a multinational police operation.

Those raids were largely successful: on Friday this week, malware tracker site Abuse.ch’s Emotet portal showed none of the Emotet C2 servers it tracks were online.

As the dust settled from the swoops, the officers and agents involved wondered what to do next. The answer was to set a firm death date. Infosec bods subsequently spotted that the backend systems seized by the police had made available a software update for Emotet that, once automatically downloaded and quietly installed, would activate an uninstall routine this weekend.

Infosec outfit MalwareBytes confirmed on Sunday that its updated Emotet install had indeed completely removed itself as expected.

Mariya Grozdanova, a threat intelligence analyst at Redscan, described the cops' deinstallation code to The Register: “The EmotetLoader.dll is a 32-bit DLL responsible for removing the malware from all infected computers. This will ensure that all services related to Emotet will be deleted, the run key in the Windows registry is removed – so that no more Emotet modules are started automatically – and all running Emotet processes are terminated.”

The move has similarities to the FBI's cleaning-up of infected Microsoft Exchange Server deployments this month, a move that prompted considerable debate when we revealed the same thing could be lawfully done in the UK.

Emotet was particularly nasty in that it spread mainly via malicious attachments in spam emails, and once installed, could bring in additional malware: infected machines were rented out to crooks to install things like ransomware and code that drained victims' online bank accounts. Computer security biz Digital Shadows highlighted the extent of the Emotet epidemic, and said its removal is an overall win for everyone:

Prior to law enforcement’s takedown of Emotet, the malware reportedly controlled over one million machines. Emotet is also estimated to have made an almighty haul of over $2 billion over the years. Given the exceptionally large financial losses, the seizure of Emotet was almost certainly deemed to be a necessary objective of law enforcement. In this sense, its importance is clear to see. Emotet has dominated the cyber threat landscape, and taking it off the board represents a symbolic and strategic victory.

Before the weekend, Redscan’s Grozdanova told The Register Dutch authorities distributed the DLL, adding "there might be German involvement as well since the international team that disrupted Emotet was led by both Dutch and German investigators."

It’s entirely probable that some Emotet-infected devices were located in the UK. Technically speaking, the Europeans may have committed criminal offences under Blighty's Computer Misuse Act due to the way they chose to remove the malware without the permission of the PCs’ owners. Not that any prosecutor would ever pursue those claims, though the point remains.

Interestingly enough, the US Dept of Justice, which also played a role in the seizure of the malware's servers, said in a statement in January that "foreign law enforcement, working in collaboration with the FBI, replaced Emotet malware on servers located in their jurisdiction with a file created by law enforcement," a file that prevented Emotet's masterminds from ever regaining control of infected PCs. The Feds did not mention anything about a delayed uninstall routine, and stressed any changes to systems were done by foreigners.

Neither the Germans nor the Dutch have gone on the record as owning Sunday’s execution of Emotet. In late January, Germany and the Netherlands said they had, via Emotet control servers seized in their jurisdictions, released a software update that quarantined Emotet infections on people's PCs, and directed connections from the malware to evidence-gathering systems, thus ensuring the software nasty's perpetrators could no longer send commands to their botnet.

Paul Robichaux, senior director of product management at IT forensics firm Quest, told us: “These kind of large-scale, coordinated attacks and global botnets are too big for individual organisations to resolve entirely themselves, and leaving individual companies to clean them up themselves is a legitimate national security problem. However, the fact that law enforcement is on the case is no excuse to let your guard down. You still need to focus on securing your own environments.” ®


Other stories you might like

Biting the hand that feeds IT © 1998–2021