Security researchers at Binary Defense created a “vaccine” that was able to keep systems protected from the Emotet Trojan for six months.
First identified over a decade ago, Emotet went from a banking Trojan to being an information stealer and a downloader for other malware families out there. A prolific threat, Emotet was seen taking a four-month vacation last year, and five months off in 2020, before recommencing activity on July 17.
Just as legitimate software, malicious programs are prone to vulnerabilities, and one such issue in Emotet’s installation process allowed security researchers to create a killswitch that helped the infosec community keep the threat away.
The vaccine was created after the Trojan received a codebase overhaul, and was in use for 182 days in 2020, between February 6 and August 6, Binary Defense explains.
Some of Emotet’s installation and persistence mechanisms were modified with the code overhaul, and the Trojan switched to saving the malware on each victim system to a generated filename with either the .exe or .dll extension. The filename was then encoded and saved into a registry value set to the volume serial number of the machine.
Binary Defense’s first version of the killswitch was a PowerShell script designed to generate the registry key value and set the data for it to null. Thus, although Emotet would finish the installation process, it would not be able to successfully execute.
A second version of the killswitch would exploit a buffer overflow in the installation routine, causing the process to crash before Emotet was dropped onto the machine. The PowerShell script, which the researchers named EmoCrash, could be deployed either before the infection, as a vaccine, or during infection, as a killswitch.
On February 12, EmoCrash started being delivered to security teams worldwide, which helped address some compatibility issues with the code and keep systems protected. Logs created during the crash would help defenders remove infections.
Those who received EmoCrash were told not to make it public in an effort to avoid tipping off the attackers.
Between February 7 and July 17, Emotet’s operators continued developing the malware, although they did not launch massive spam campaigns to spread the threat. An update pushed in April introduced a new installation method, but continued to access the registry key to identify older installations, thus triggering the killswitch before the Trojan would connect to the attackers’ sever.
On July 17, Emotet’s operators recommenced sending out spam to deliver the malware, but the vaccine continued to provide protection until August 6, when a core loader update was delivered to the Trojan to remove the vulnerable registry value code.