Emotet malware was first detected in 2014, It was designed to steal banking sensitive information. It evolved over time adding more features such as information stealer, downloader, and spambot depending on how it deployed. Later, it deployed a new feature infecting other devices connected to nearby Wi-Fi networks.
Researchers from Binary Defense says, they have identified a bug in Emotet malware and exploited that to create a killswitch, and to prevent the malware from infecting systems for six months.
The flaw was discovered by James Quinn, a malware researcher who has been reverse-engineering Emotet banking trojan that can steal data by eavesdropping on network traffic.
Quinn noticed the change in code of payload which enables malware to survive PC reboots. The malware was storing an XOR encryption key inside the newly-created registry key. That key was not only for persistence mechanism but for several other Emotet code checks.
Binary Defense developed kill-switch after 37 hours of Emotet recent update. Powershell script which set the data for each value to null for each victim.
“When the malware attempts to execute ‘.exe,’ it would be unable to run because ‘.’ translates to the current working directory for many operating systems,” Quinn noted.
Quinn was able to exploit a buffer overflow vulnerability in Emotet malware causing it to crash during the installation process, preventing users from being infected.
Powershell Script named EmoCrash, triggered a buffer overflow while Quinn tried to infect a clean computer with Emotet and crashed the malware which prevented the user from being infected.
On already infected PC with malware, Quinn ran EmoCrash script that replaced registry key with malformed on and the malware crashed as well, preventing the infected host from communicating with Emotet command-and-control server.
“This tiny data buffer was all that was needed to crash Emotet, and could even be deployed prior to infection (like a vaccine) or mid-infection (like a killswitch),” Quinn said. “Two crash logs would appear with event ID 1000 and 1001, which could be used to identify endpoints with disabled and dead Emotet binaries after deployment of the killswitch (and a computer restart).”
Binary Defense team realized the discovery needed to be kept under secrecy to prevent the Emotet gang from fixing its code, EmoCrash also needed to make its way across in the hands-on companies across the world.
To get this done, Binary Defense worked with Team CYMRU, a company that has a decades-long history of organizing and participating in botnet takedowns.
“On August 6th, a core loader update was sent out which finally removed the vulnerable registry value code, effectively ‘killing’ EmoCrash,” Quinn said.