Emotet, one of the most active email spam botnets known to date, is being uninstalled from all infected devices. This has become possible with the help of a malware module that was delivered earlier in January by law enforcement agencies. This takedown attempt is the result of a coordinated international law enforcement action.
What is happening?
After the previous takedown attempt, the law enforcement agencies had delivered a new configuration to active Emotet infections so that the spam botnet would use C2 servers controlled by Germany's federal police agency, the Bundeskriminalamt.
- Law enforcement spread the new Emotet module in the form of a 32-bit EmotetLoader[.]dll to all of the infected systems that will automatically uninstall the malware on April 25.
- The recently added module deletes associated Windows services, autorun Registry keys, and subsequently exits the process. It then leaves everything else intact on the infected devices.
- The module does not remove any other malware that was already installed on the infected system via Emotet; instead, it stops additional malware from being installed on the infected system.
Reversing the damage
Near around the same time as the recent shutdown, the FBI has been actively working to further minimize the malicious impact caused by this global threat.
- The FBI has identified around 4.3 million email addresses that were harvested by the Emotet botnet and shared it with the Have I Been Pwned site.
- To alert all the impacted users, the entire database has been handed over to the Have I Been Pwned (HIBP) service.
Recent takedown attempts
Government agencies are now proactively taking legal action against cybercriminals networks.
- A month ago, the FBI had launched a coordinated court-approved operation aimed at the removal of the webshells from Microsoft Exchange servers infected via ProxyLogon exploits.
- Last year, Microsoft disclosed information regarding legal action to disrupt the cybercrime digital network of TrickBot. However, the botnet was discovered to be active again in March.
The recent takedown attempt by distributing a module could be a major step in stopping threats such as Emotet. The collaboration between multiple law enforcement agencies, the private sector, and security researchers is a welcome development. Still, organizations should implement adequate security measures to prevent future threats.