Emotehack: Emotet Malware Hacked to Sabotage its Comeback

Cyber vigilantes can be sometimes seen taking justice into their own hands by targeting the hackers to beat them in their own game. A similar thing happened as of late when Emotet botnet, which came back to life after a five-month break, was hacked by an unknown actor who replaced malicious payloads with memes and GIFs.


Payloads turned a dud

Researchers discovered the ‘Emotehack’ operation in which an intruder replaced the Emotet’s malicious payloads with multiple popular (funny and harmless) GIFs. The defacement has caused serious operational losses to the Emotet gang.
  • Researchers observed that the intruder, dubbed as “white knight”, replaced the malicious payloads with the GIFs taken from Imgur or Giphy like Blink 182 "WTF" GIF, James Franco GIF, and the Hackerman GIF, rendering the attacks useless.
  • The Emotet gang usually relies on open-source scripts and uses the same password for all of its web shells. The unknown vigilante probably was able to discover this common password and abuse this botnet weakness to sabotage Emotet's comeback.
  • It was believed that Emotet possibly had more methods to drop the shells and to regain access to the vulnerable sites it uses for spreading malware. The Emotet gang spotted the "replacement" and restored the original payload.


Hackers sometimes annoy hackers

Similar incidents have been seen in the past as well when hackers got hacked by Vigilante.
  • In May 2020, a group of hackers calling themselves 'CyberWare' hit "scam" companies the loan scammers with ransomware and denial of service (DDoS) attacks.
  • In March 2020, a cybercrime vigilante, dubbed ‘Jim Browning,’ hacked into the IT networks of dozens of call centers in India that were running tech support scams by using malware pop-ups or poisoned search engine results.


The Illegal battle

Although the reverse cyberattacks on hackers seem to be of no or little help to security experts, several countries including the U.S. and the U.K considered the activity illegal if done without prior government approvals. In Emotet’s case, it was assumed that the intruder is either a rival malware gang or a member of the cyber-security industry.