Emotet malware self-destructs after cops deliver time-bomb DLL to infected Windows PCs

Uninstall code, distributed from backend servers seized in January, fired on Sunday


Notorious Windows malware Emotet was automatically wiped from computers yesterday by European law enforcement using a customized DLL.

This specially crafted time bomb caused the software to self-destruct on Sunday, April 25. The code was distributed at the end of January to Emotet-infected computers by the malware's command-and-control (C2) infrastructure, which had just been seized in a multinational police operation.

Those raids were largely successful: on Friday this week, malware tracker site Abuse.ch’s Emotet portal showed none of the Emotet C2 servers it tracks were online.

As the dust settled from the swoops, the officers and agents involved wondered what to do next. The answer was to set a firm death date. Infosec bods subsequently spotted that the backend systems seized by the police had made available a software update for Emotet that, once automatically downloaded and quietly installed, would activate an uninstall routine this weekend.

Infosec outfit MalwareBytes confirmed on Sunday that its updated Emotet install had indeed completely removed itself as expected.

Mariya Grozdanova, a threat intelligence analyst at Redscan, described the cops' deinstallation code to The Register: “The EmotetLoader.dll is a 32-bit DLL responsible for removing the malware from all infected computers. This will ensure that all services related to Emotet will be deleted, the run key in the Windows registry is removed – so that no more Emotet modules are started automatically – and all running Emotet processes are terminated.”

The move has similarities to the FBI's cleaning-up of infected Microsoft Exchange Server deployments this month, a move that prompted considerable debate when we revealed the same thing could be lawfully done in the UK.

Emotet was particularly nasty in that it spread mainly via malicious attachments in spam emails, and once installed, could bring in additional malware: infected machines were rented out to crooks to install things like ransomware and code that drained victims' online bank accounts. Computer security biz Digital Shadows highlighted the extent of the Emotet epidemic, and said its removal is an overall win for everyone:

Prior to law enforcement’s takedown of Emotet, the malware reportedly controlled over one million machines. Emotet is also estimated to have made an almighty haul of over $2 billion over the years. Given the exceptionally large financial losses, the seizure of Emotet was almost certainly deemed to be a necessary objective of law enforcement. In this sense, its importance is clear to see. Emotet has dominated the cyber threat landscape, and taking it off the board represents a symbolic and strategic victory.

Before the weekend, Redscan’s Grozdanova told The Register Dutch authorities distributed the DLL, adding "there might be German involvement as well since the international team that disrupted Emotet was led by both Dutch and German investigators."

It’s entirely probable that some Emotet-infected devices were located in the UK. Technically speaking, the Europeans may have committed criminal offences under Blighty's Computer Misuse Act due to the way they chose to remove the malware without the permission of the PCs’ owners. Not that any prosecutor would ever pursue those claims, though the point remains.

Interestingly enough, the US Dept of Justice, which also played a role in the seizure of the malware's servers, said in a statement in January that "foreign law enforcement, working in collaboration with the FBI, replaced Emotet malware on servers located in their jurisdiction with a file created by law enforcement," a file that prevented Emotet's masterminds from ever regaining control of infected PCs. The Feds did not mention anything about a delayed uninstall routine, and stressed any changes to systems were done by foreigners.

Neither the Germans nor the Dutch have gone on the record as owning Sunday’s execution of Emotet. In late January, Germany and the Netherlands said they had, via Emotet control servers seized in their jurisdictions, released a software update that quarantined Emotet infections on people's PCs, and directed connections from the malware to evidence-gathering systems, thus ensuring the software nasty's perpetrators could no longer send commands to their botnet.

Paul Robichaux, senior director of product management at IT forensics firm Quest, told us: “These kind of large-scale, coordinated attacks and global botnets are too big for individual organisations to resolve entirely themselves, and leaving individual companies to clean them up themselves is a legitimate national security problem. However, the fact that law enforcement is on the case is no excuse to let your guard down. You still need to focus on securing your own environments.” ®

Similar topics

Broader topics


Other stories you might like

  • Tesla driver charged with vehicular manslaughter after deadly Autopilot crash

    Prosecution seems to be first of its kind in America

    A Tesla driver has seemingly become the first person in the US to be charged with vehicular manslaughter for a deadly crash in which the vehicle's Autopilot mode was engaged.

    According to the cops, the driver exited a highway in his Tesla Model S, ran a red light, and smashed into a Honda Civic at an intersection in Gardena, Los Angeles County, in late 2019. A man and woman in the second car were killed. The Tesla driver and a passenger survived and were taken to hospital.

    Prosecutors in California charged Kevin George Aziz Riad, 27, in October last year though details of the case are only just emerging, according to AP on Tuesday. Riad, a limousine service driver, is facing two counts of vehicular manslaughter, and is free on bail after pleading not guilty.

    Continue reading
  • AMD returns to smartphone graphics with new Samsung chip for your pocket computer

    We're back in black

    AMD's GPU technology is returning to mobile handsets with Samsung's Exynos 2200 system-on-chip, which was announced on Tuesday.

    The Exynos 2200 processor, fabricated using a 4nm process, has Armv9 CPU cores and the oddly named Xclipse GPU, which is an adaptation of AMD's RDNA 2 mainstream GPU architecture.

    AMD was in the handheld GPU market until 2009, when it sold the Imageon GPU and handheld business for $65m to Qualcomm, which turned the tech into the Adreno GPU for its Snapdragon family. AMD's Imageon processors were used in devices from Motorola, Panasonic, Palm and others making Windows Mobile handsets.

    Continue reading
  • Big shock: Guy who fled political violence and became rich in tech now struggles to care about political violence

    'I recognize that I come across as lacking empathy,' billionaire VC admits

    Billionaire tech investor and ex-Facebook senior executive Chamath Palihapitiya was publicly blasted after he said nobody really cares about the reported human rights abuse of Uyghur Muslims in China.

    The blunt comments were made during the latest episode of All-In, a podcast in which Palihapitiya chats to investors and entrepreneurs Jason Calacanis, David Sacks, and David Friedberg about technology.

    The group were debating the Biden administration’s response to what's said to be China's crackdown of Uyghur Muslims when Palihapitiya interrupted and said: “Nobody cares about what’s happening to the Uyghurs, okay? ... I’m telling you a very hard ugly truth, okay? Of all the things that I care about … yes, it is below my line.”

    Continue reading

Biting the hand that feeds IT © 1998–2022