Emotet responsible for one of the biggest email spam campaigns in recent history has been automatically destructed on all infected devices with the help of a benign malware module delivered in January by German law enforcement.
As part of an international law enforcement action, European investigators took control of the Emotet’s servers and delivered a destructive module to disrupt the malware’s operation on April 25.
TA542 threat group (aka Mummy Spider) used Emotet to deploy such second-stage malware payloads as QBot and Trickbot onto compromised computers leading to full network compromise and the deployment of ransomware, including ProLock or Egregor by Qbot and Ryuk and Conti by TrickBot.
Using the botnet’s own network, law enforcement delivered a new configuration to Emotet’s bots that forced the malware to use command and control servers controlled by the Bundeskriminalamt, Germany’s federal police agency. They then delivered a new Emotet module to all infected systems that would automatically uninstall the malware on April 25th, 2021.
The US Department of Justice at the time explained that “the law enforcement file does not remediate other malware that was already installed on the infected computer through Emotet; instead, it is designed to prevent additional malware from being installed on the infected computer by untethering the victim computer from the botnet.”
Bundeskriminalamt explained that the delay in uninstalling until April 25 was done on purpose and to allow time for seizing evidence and clean the machines of the malware.
Malwarebytes researchers took a closer look at the law enforcement’s uninstaller module and confirmed the module kills Emotet. But they found that it only deletes associated Windows services and autorun Registry keys leaving everything else on the compromised devices untouched.
“For this type of approach to be successful over time, it will be important to have as many eyes as possible on these updates and, if possible, the law enforcement agencies involved should release these updates to the open internet so analysts can make sure nothing unwanted is being slipped in,” Marcin Kleczynski, CEO of Malwarebytes, told BleepingComputer.