European law enforcement on Sunday used a customized Windows Dynamic Link Library (DLL) to automatically wipe off Windows malware Emotet from thousands of infected computers.
For those unaware, Emotet, one of the world’s most infamous botnets, is a network of hijacked computers and devices infected with malware and controlled remotely by cybercriminals.
This network is then used to send spam and launch Distributed Denial of Service (DDoS) attacks. It can also be rented out to other cybercriminals.
This specially crafted time bomb by the European authorities instructed the software to self-destruct on Sunday, April 25, 2021.
The code was distributed to the Emotet-infected computers at the end of January by using the malware’s own command-and-control (C2) infrastructure, which was previously seized in a police operation involving multiple countries.
The update contained a clean-up routine responsible for uninstalling Emotet from infected computers with a deadline of April 25.
The global operation was announced by Europol in a press release on January 27 to take down the botnet. “To severely disrupt the EMOTET infrastructure, law enforcement teamed up together to create an effective operational strategy.
It resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside,” they said.
“The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.”
Mariya Grozdanova, a threat intelligence analyst at Redscan, explained the authorities’ uninstallation code to The Register: “The EmotetLoader.dll is a 32-bit DLL responsible for removing the malware from all infected computers.
This will ensure that all services related to Emotet will be deleted, the run key in the Windows registry is removed – so that no more Emotet modules are started automatically – and all running Emotet processes are terminated.”
The cleaning process was confirmed by cybersecurity firm Malwarebytes on Sunday who had received the special law enforcement file for its Emotet-infected machine. It had successfully initiated the uninstallation routine and completely removed itself from the Windows system.
“The version with the uninstaller is now pushed via channels that were meant to distribute the original Emotet,” said the Malwarebytes Threat Intelligence team. “For victims with an existing Emotet infection, the new version will come as an update, replacing the former one. This is how it will be aware of its installation paths and able to clean itself once the deadline has passed.”
Similarly, the Malware tracker site Abuse.ch too confirmed the successful removal of the malware. Their Emotet portal showed none of the Emotet C2 servers it tracks were online.
The move by the law enforcement agencies to remove the Emotet botnet is a huge blow to cybercriminals and hackers. It would be interesting to see if the botnet bounces back in the same form or in some other new variant.
“Historically, Emotet’s operators used long breaks in activity to improve their malware. This means there is a realistic possibility that Emotet’s operators will use this opportunity to make the loader malware even more resilient, for example, by using polymorphic techniques to counter future coordinated action.
They could also use the Emotet source code to branch off and create smaller, independent botnets,” Redscan researchers noted on Friday.