EmoCrash: An Emotet Kill Switch For Defense

Vulnerabilities and exploits are often bad news for product users. However, malware can also have flaws that can be used by security researchers to defeat the malware. Researchers at Binary Defense found one exploitable vulnerability in a prolific and highly successful trojan malware, Emotet.

Unique threats require unique solutions

Binary Defense researcher James Quinn discovered a buffer overflow vulnerability in Emotet’s installation process and leveraged it to develop a kill switch. This data buffer could be deployed before infection (like a vaccine) or mid-infection (like a kill switch).
  • In August 2020, researchers disclosed developing versions V1 and V2 of the kill switch “EmoCrash,” and distributed it to defenders around the world on February 12, 2020, with strict instructions to not post it publicly.
  • The killswitch was alive from February 6, 2020 to August 6, 2020. After this, Emotet’s developers sent out a core loader update to remove the vulnerable registry value code, thereby disabling the kill switch.

Emotet back in workmode

In mid-August 2020, after disabling the kill switch, Emotet resurfaced at a rapid rate with more sophisticated features and capabilities
  • Emotet started using COVID-19 related lures to target its businesses in the U.S. and the U.K.
  • Furthermore, the malware was found using stolen attachments, along with hijacked email conversation threads (which also included fake extortion emails).

An unexpected panacea

In August 2020, a mysterious vigilante had started the ‘Emotehack’ operation and was fighting the threat actors behind Emotet by replacing malicious payloads with whimsical GIFs and memes.

The bottom line

Though Emotet’s distribution of spam was defeated for a short duration, its operators were not inactive through this time, as they proceeded to focus on further improving their features and capabilities. Thus, users are recommended to stay cautious as this notorious malware is still very much alive.