Dangerous Malware Disrupted From Operation Months After Uninstalling Delay

The most dangerous malware in the entire history of computer systems has just been disrupted a few months after its proposed uninstalling was delayed.

On April 25, the attempt to take down the Emotet, the most dangerous email spam botnet in history built by cybercriminals finally took place. The law enforcement managed to uninstall the botnet from affected devices with the help of a malware module released in January. The law enforcement took control of the botnet’s servers, managed to uninstall the malware, and disrupt its operation, Bleeping Computer reported.

The move is a result of the coordinated action and joint effort of the authorities from the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine.

During the process to uninstall the Emotet, the law enforcement released 32-bit EmotetLoader.dll, an Emotet module that automatically uninstalled the malware from the infected device on the specific April 25, 2021 date.

Law enforcement then made sure that the malware will use the Bundeskriminalamt controlled control servers. To make it happen, Germany's federal police agency released a new configuration.

Mummy Spider or the TA542 threat group used the Emotet to deploy second-stage malware such as QBot and Trickbot. Emotet served as a loader that delivered other malware packages such as ProLock or Egregor by Qbot, and Ryuk and Conti by TrickBot.

In January, the agencies from various countries attempted to replace Emotet with a file created by the law enforcement team to block any additional malware installation to already infected devices. On Jan. 28, the Bundeskriminalamt pushed the uninstaller module to the Emotet infected devices as per the US Department of Justice.

However, the Bundeskriminalamt later delayed the move to three months to allow enough time to seize evidence and clean the machines of malware, IT World Canada reported. The agency said that the victim’s communication software parameters were diverted to communicate with an infrastructure created for evidence seizure instead of the offenders’.

However, amid the most recent development on the Emotet, some security researchers believe that the war is not over yet.

"For this type of approach to be successful over time, it will be important to have as many eyes as possible on these updates and, if possible, the law enforcement agencies involved should release these updates to the open internet so analysts can make sure nothing unwanted is being slipped in," Marcin Kleczynski, CEO of Malwarebytes, Bleeping Computer reported.