An uninstall module that was previously deployed by law enforcement on devices infected with Emotet across the world has now been triggered to clean the devices of the malware.
Law enforcement agencies first pushed an update out to devices infected by the malware months ago, after announcing in January that they had seized Emotet’s servers and disrupted its infrastructure. The update contained a special payload that had code to remove the malware from infected computers with a deadline of April 25.
As the deadline was reached this weekend, researchers with Malwarebytes observed the uninstall module being triggered: “The version with the uninstaller is now pushed via channels that were meant to distribute the original Emotet,” according to the Malwarebytes Threat Intelligence team. “For victims with an existing Emotet infection, the new version will come as an update, replacing the former one. This is how it will be aware of its installation paths and able to clean itself once the deadline has passed."
The Department of Justice (DoJ) in January confirmed in an affidavit that "foreign law enforcement," working in collaboration with the FBI, had initially replaced Emotet malware on the seized servers located in their jurisdiction with a file created by law enforcement, meant to prevent the administrators of the Emotet botnet from further communicating with infected computers. The file “is designed to prevent additional malware from being installed on the infected computer by untethering the victim computer from the botnet,” according to the DoJ.
Mariya Grozdanova, threat intelligence analyst with Redscan, said that Dutch law enforcement authorities are in the process of deploying the file - "however, there might be German involvement as well since the international team that disrupted Emotet was led by both Dutch and German investigators," she said. Media reports have previously identified Germany's Bundeskriminalamt (BKA) federal investigative police agency as the agency behind the uninstaller.
"Disrupting a botnet from the inside by gaining control of the infrastructure has great legal implications, thus, the US Department of Justice made it clear that it was 'foreign law enforcement agents,'" said Grozdanova.
Researchers with Malwarebytes said that while the update was first deployed in January, the motive behind the “lengthy delay for the cleanup routine to activate” - which was set for months later, in April - may have been to give system administrators time for forensic analysis and to check for other infections.
“The kill switch should have killed Emotet on those devices that already had an Emotet infection present, but this does not mean that malware such as IcedID, QakBot and TrickBot will be removed, thus the need for a continued monitoring and best security practices."
A further investigation by Malwarebytes researchers into the payload pushed out by law enforcement revealed a 32-bit dynamic link library (DLL) file, EmotetLoader.dll. The DLL contains three exports which lead to the cleanup effort, which include code for the deadline.
“If the deadline already passed, the uninstall routine is called immediately,” according to researchers. “Otherwise the thread is run repeatedly doing the same time check, and eventually calling the deletion code if the date has passed.”
This uninstall routine “is very simple,” said researchers - it deletes the service associated with Emotet as well as the run key that is used by Emotet to achieve persistence, before exiting the process.
The update comes on the heels of the Jan. 27 takedown effort, where Europol announced that authorities in Canada, France, Germany, Lithuania, the Netherlands, Ukraine, the United Kingdom and the United States crippled the network of hundreds of botnet servers supporting Emotet, as part of “Operation LadyBird.” As part of this takedown effort, law enforcement identified the IP addresses of approximately 1.6 million computers worldwide that appeared to have been infected with Emotet malware (between April 1, 2020 and Jan. 17, 2021), according to the DoJ.
In terms of how many devices received the uninstaller update, Jerome Segura, director of Threat Intelligence at Malwarebytes, said that law enforcement would know how many computers pinged their servers and received the update - “however, that may not equate to the same number of machines where the uninstall routine actually happened," he said.
“There was a long delay between receiving that special law enforcement file and the time trigger and it is also possible that some antivirus products may have quarantined the file,” he said.
Emotet, which is malware typically spread via malicious emails or text messages, has plagued businesses as a top threat for years. The malware was often utilized as a first-stage infection vector for secondary malware payloads - such as Trickbot, Qakbot and the Ryuk ransomware - with its operators renting its infrastructure to other crime groups, who could then gain initial access into victim networks. Redscan's Grozdanova said it is important to note that the uninstall module does not remove these other malware strains possibly installed on infected devices via Emotet, or malware from other sources.
We’ve observed a number of malicious threat actors, which operate in a very similar manner to Emotet, filling the cybercriminal void left by its takedown," said Grozdanova. "The kill switch should have killed Emotet on those devices that already had an Emotet infection present, but this does not mean that malware such as IcedID, QakBot and TrickBot will be removed, thus the need for a continued monitoring and best security practices.
Grozdanova also stressed in an analysis that while law enforcement’s Emotet takedown was a significant disruption to cybercriminals, “Emotet’s return cannot be ruled out entirely.”
“Some of the operators behind Emotet are still out there and it is highly likely that they are in possession of copies of the compromised data seized by authorities, as well as other data sets that have not yet been recovered,” said Grozdanova. “It is possible that senior members of the Emotet botnet who were not arrested will reassemble.”