A security researcher developed a kill switch for the Emotet malware that prevented it from infecting systems. Read on to know more…
Security vulnerabilities and exploits are often bad news for users. However, malware can also have flaws that can be used by security researchers to defeat the malware. Every once in a while, the good folks win over bad ones. This is one of those moments where the security researcher had the presence of mind to know the weakness of the malicious attacker and exploit it!
Just as malicious hackers can exploit flaws in legitimate software to cause harm, security researchers can also reverse-engineer malware to discover its vulnerabilities and then exploit those to defeat the malware.
A researcher at Binary Defense found one exploitable vulnerability in a prolific and highly successful Emotet trojan malware. Emotet, a notorious email-based malware behind several botnet-driven spam campaigns and ransomware attacks, contained a flaw that allowed cybersecurity researchers to activate a kill-switch and prevent the malware from infecting systems for six months.
The Kill Switch
The researcher effectively developed a vaccine for Emotet malware, that protected the systems from malware for 6 months. The botnet was first detected in 2014 and quickly grew in activity scale to steal credential data, download more vicious malware, and ransomware into the device. It was briefly inactive from February to August.
Binary Defense’s James Quinn finally announced the truth behind the inactivity of the botnet. The researcher had developed a killswitch by manipulating a buffer overflow liability in the malware’s installation procedure. He dubbed the killswitch as “Emocrash”. He’s not the only one on the defense; in August 2020, another anonymous vigilante had started the ‘Emotehack’ operation and was fighting the threat actors behind Emotet by replacing malicious payloads with whimsical GIFs and memes.
Technicalities
Binary Defense researcher James Quinn discovered a buffer overflow vulnerability in Emotet’s installation process and leveraged it to develop a kill switch. This data buffer could be deployed before infection (like a vaccine) or mid-infection (like a kill switch). In August 2020, researchers disclosed developing versions V1 and V2 of the kill switch “EmoCrash,” and distributed it to defenders around the world on February 12, 2020, with strict instructions to not post it publicly. The killswitch was alive from February 6, 2020 to August 6, 2020. After this, Emotet’s developers sent out a core loader update to remove the vulnerable registry value code, thereby disabling the kill switch.
Return of Emotet
In mid-August 2020, after disabling the kill switch, Emotet resurfaced at a rapid rate with more sophisticated features and capabilities. Emotet started using COVID-19 related lures to target its businesses in the U.S. and the U.K. Furthermore, the malware was found using stolen attachments, along with hijacked email conversation threads (which also included fake extortion emails).
Concluding Note
Though Emotet’s distribution of spam was defeated for a short duration, its operators were not inactive through this time, as they proceeded to focus on further improving their features and capabilities. Thus, users are recommended to stay cautious as this notorious malware is still very much alive.