Binary Defense security researchers developed a “vaccine,” which was able to keep systems safe from the Trojan Emotet for six months.
First discovered over a decade ago, Emotet went to be an knowledge stealer and downloader for other malware families out there, from a banking trojan. A prolific hazard, Emotet was seen taking a four-month holiday last year, and five months off in 2020, before re-starting on July 17th.
Much like legitimate software, malicious programs are vulnerable to vulnerabilities and one such issue in the installation phase of Emotet allowed security researchers to build a killswitch that helped keep the threat away from the infosec community.
Binary Defense explains that the vaccine was created after the Trojan received a codebase overhaul and was in use for 182 days in 2020, between 6 February and 6 August.
Some of Emotet’s installation and persistence mechanisms were modified with the code overhaul, and the Trojan switched to a generated filename with either the.exe or.dll extension saving the malware on each victim system. The filename was then encoded and saved to the machine volume serial number in a registry value set to it.
First version of the killswitch by Binary Defense was a PowerShell script designed to generate the key value of the registry and set the data to null for it. And while the deployment process would be completed by Emotet, it would not be able to execute successfully.
A second iteration of the killswitch in the installation routine would trigger a buffer overflow, causing the process to fail before Emotet was dropped onto the computer. The PowerShell script, named EmoCrash by the researchers, could be deployed as a killswitch either before the infection, as a vaccine, or during infection.
On 12 February, EmoCrash started distributing to security teams around the world, helping to fix certain application compatibility problems and keeping systems safe. Logs created during the crash would help advocates eliminate infections.
Those who got EmoCrash were advised not to publicize it in an attempt to avoid tipping off the attackers.
Emotet ‘s operators continued to grow the malware between February 7 and July 17, but they did not conduct major spam campaigns to spread the threat. An update pushed in April introduced a new installation method, but continued to access the registry key to identify older installations, thereby triggering the killswitch before the Trojan would connect to the sever of attackers.
Emotet ‘s operators resumed sending spam to deliver the malware on July 17, but the vaccine continued to provide protection until August 6, when a core loader update was delivered to the trojan to remove the vulnerable registry value code.