Emotet Malware Automatically UninstalledLaw Enforcement 'Update' to Erase Malware From Infected Devices Activated
An "update" pushed out earlier this year by law enforcement agencies, including Europol, on Sunday began erasing Emotet malware from infected devices worldwide, according to a blog posting from Malwarebytes.
The “update” file - a customized DLL file called EmotetLoader.dllsent - was activated on infected devices to erase the malware, Malwarebytes reports.
Europol has not issued an announcement on the action and did not immediately reply to Information Security Media Group's request for comment.
Today at 1:00 PM, our #Emotet-infected machine that had received the special law enforcement file triggered its uninstallation routine.— Malwarebytes Threat Intelligence (@MBThreatIntel) April 25, 2021
More details here: https://t.co/LfdPaNXiFm pic.twitter.com/ewTGpg17Ba
The latest move by law enforcement agencies against Emotet infections came after the FBI earlier this month obtained a court order permitting it to remotely remove web shells - scripts that allow remote access - from vulnerable on-premises Microsoft Exchange servers in the U.S. (see: FBI Removing Web Shells From Infected Exchange Servers)
Marcin Kleczynski, CEO of Malwarebytes, says that law enforcement officials' efforts to remedy malware infections are a "tricky issue because good intentions may lead to unintended consequences."
"For this type of approach to be successful over time, it will be important to have as many eyes as possible on these updates and, if possible, the law enforcement agencies involved should release these updates to the open internet so analysts can make sure nothing unwanted is being slipped in,” Kleczynski says.
Emotet Sold Network Access
Emotet's operators used a fully automated phishing campaign with a malicious attachment that, when opened, installed the malware, which then enabled network access. The operators then sold that access to other cybercrime gangs, who used it to deliver ransomware and banking Trojans, law enforcement authorities say.
In January, Europol reported that a multinational law enforcement operation had disrupted the Emotet botnet's infrastructure by gaining control of hundreds of servers used to distribute malware (see: Law Enforcement Operation Disrupts Notorious Emotet Botnet).
The law enforcement agencies behind the Emotet disruption, including Europol, said in January that they pushed out an update via the botnet’s infrastructure that would disconnect their devices from the malicious network (see: Police Using Emotet's Network to Help Victims).
Bleeping Computer reported in January that Europol's press office said the German Bundeskriminalamt, or BKA, federal police agency was responsible for the delivery of the update designed to uninstall the Emotet malware.
After being dormant for several months last year, Emotet reappeared in December 2020 with a new campaign delivering Trickbot malware, according to security firm Cofense (see: Emotet Botnet Returns After 2-Month Hiatus).
Digital Shadows notes that the Emotet gang is estimated to have made a profit of over $2 billion from selling network access to cybercriminals.
“According to a 2018 U.S. Department of Homeland Security alert, Emotet has cost U.S. state, local, tribal and territorial governments $1 million per incident to resolve," Digital Shadows says. "Prior to law enforcement’s takedown of Emotet, the malware reportedly controlled over 1 million machines."
Described by Europol as one of the most professional and long-lasting cybercrime services, Emotet, originally a banking Trojan, was discovered in 2014; it later evolved into a network access service.
Despite the latest action to remove Emotet malware on infected devices, organizations worldwide need to continue to ensure they're "staying agile to emerging and developing techniques and tactics, keeping strict control of their infrastructure, ensuring they are up to date with [patching] vulnerabilities and perpetually monitoring the integrity of their systems," says Natalie Page, threat intelligence analyst at the security firm Talion.
Digital Shadows says cybercriminals are shifting from delivering Trickbot via Emotet to using other malware, such as BazarCall and IcedID, delivered via other methods, such as phishing, which demonstrates that cybercriminal gangs are increasingly organized, ambitious and professional.
“Given that the operators of TrickBot, Ryuk and QakBot are themselves technically sophisticated and operationally capable, it is unlikely that Emotet’s seizure and uninstallation will significantly harm their long-term activity," researchers at Digital Shadows say.
"These kind of large-scale, coordinated attacks and global botnets are too big for individual organizations to resolve entirely themselves, and leaving individual companies to clean them up themselves is a legitimate national security problem," says Paul Robichaux, senior director of product management at Quest Software. "However, the fact that law enforcement is on the case is no excuse to let your guard down. You still need to focus on securing your own environments."