A researcher was able to exploit a vulnerability in Emotet – effectively causing the infamous malware to crash and preventing it from infecting systems for six months.
Emotet, which first emerged in 2014 and has since then evolved into a full fledged botnet that’s designed to steal account credentials and download further malware, mysteriously disappeared from February until its recent re-emergence in early August.
On Friday, James Quinn with Binary Defense revealed why: He he had developed a killswitch earlier this year, dubbed “EmoCrash,” that exploited a buffer overflow vulnerability found in Emotet’s installation process.
He’s not the only one looking to thwart Emotet: The news comes shortly after researchers discovered that a mysterious vigilante was fighting the threat actors behind the malware’s comeback by replacing malicious Emotet payloads with whimsical GIFs and memes.
A killswitch is often utilized by defenders to disconnect networks from the internet during cyberattacks – but can also be used against malware families as a way to remove them from systems and stop any processes that are running.
“Just as attackers can exploit flaws in legitimate software to cause harm, defenders can also reverse-engineer malware to discover its vulnerabilities and then exploit those to defeat the malware,” said Quinn in a recent post.
In early February, Emotet released a codebase overhaul, which made headlines for allowing the Emotet malware sample to spread to insecure Wi-Fi networks that are located nearby to an infected device.
Part of this overhaul was the modification of Emotet’s various installation and persistence methods. The malware developers removed a word list and file-generation algorithm previously utilized by Emotet, and replaced it with a new algorithm with a new persistence twist.
This new algorithm generated a randomly chosen .exe or .dll system filename, and then encrypted the filename with an exclusive OR (XOR) key and saved it as a registry key.
Quinn discovered a simple buffer overflow within this installation routine, and created a killswitch for this issue with a PowerShell script. The script contained a buffer of 0x340 (832) bytes, which Emotet would attempt to save as the registry key – ultimately causing it to crash during its installation process (before it was fully installed) and completely preventing the malware from installing on systems.
“This tiny data buffer was all that was needed to crash Emotet, and could even be deployed prior to infection (like a vaccine) or mid-infection (like a killswitch),” said Quinn.
Quinn then shared the killswitch discreetly with members of the infosec community, avoiding public channels to ensure maximum uptime of the exploit before the threat actors behind Emotet patched their malware to close the vulnerability.
“With an incredible amount of coordinating between the infosec and CERT communities, especially those at Team Cymru who helped immensely with this, Binary Defense began distributing the EmoCrash exploit script to defenders around the world on Feb. 12, 2020, with strict instructions not to post it publicly,” he said.
The killswitch was active between Feb. 6 until Aug. 5 – at which point Emotet’s developers sent out a core loader update to remove the vulnerable registry value code, killing the killswitch. It was then that Emotet resurfaced after a five-month disappearance, with more than 250,000 malspam messages being sent to email recipients worldwide.
It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary Threatpost eBook, 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine “secure” in a work-from-home world and offer compelling real-world best practices. Click here to download our eBook now.