The feds seem to have been inside Emotet for longer than first thought – and distributed a benevolent payload.
It’s arguably the 21st century’s most stunning law enforcement victory for cybersecurity. But the raid on those behind the Emotet botnet, which has been delivering TrickBot and Qbot banking trojans through spam messages for years, bringing misery to potentially millions of victims, has an unusual twist in the tale. Not only was the botnet brought down, but Europol has seemingly used the fact it now has control over the botnet to neuter it, once and for all.
Cybersecurity researchers have spotted that all three Emotet epochs now deliver a payload that acts essentially as a self-destruct button for the poisonous botnet, nullifying its impact as of 25th April 2021.
The kill switch would essentially make the code used to control the botnet worthless, and remove the ability to dragoon unwitting victims into launching the attack, spreading it across the internet.
The reason why the kill date has been set for three months’ time, rather than immediately, is an interesting conundrum – but those looking at the unusual incident believe they may have an answer. When the Emotet raid was announced, it came with a suggestion from Europol: to search through, and scrub computer systems rid of the malware.
Buying time to ensure it’s totally removed
While hitting the self-destruct button immediately would be the easiest option, it may leave many people unaware that their systems had been compromised. By giving people three months – and telling them specifically to hunt for the vestiges of the botnet on their networks – Europol appears to be trying to make sure that, while the botnet is in its control, rather than the hands of cybercriminals, people check whether they can see traces of it on their systems.
The risks are minimal, given Europol believes it has total control over Emotet – but the rewards in helping those who have inadvertently fallen victim and have no idea are huge.
“What made Emotet so dangerous is that the malware was offered for hire to other cybercriminals to install other types of malware, such as banking Trojans or ransomwares, onto a victim’s computer,” said Europol in a statement.
And by waiting for a small time before hitting the kill switch, the hope is that not only will Emotet be found, but the trojans or ransomware that could be hiding within systems, can also be rooted out and exterminated. “This is a unique and new approach to effectively disrupt the activities of the facilitators of cyber crime,” Europol said.
Dutch police give more details
The Dutch police force, who were one of a number of forces that came together to work on the Emotet raid, including the US Federal Bureau of Investigation, the Royal Canadian Mounted Police, the UK's National Crime Agency, France's National Police, Germany's Federal Crime Police, the Lithuanian Criminal Police Bureau and the National Police of Ukraine, gave more insight into why this was happening.
“All infected computer systems will automatically retrieve the update there, after which the Emotet infection will be quarantined,” they said in a statement.
“Simultaneous action in all the countries concerned was necessary to be able to effectively dismantle the network and thwart any reconstruction.”
Creating and activating a kill switch like this has happened before with Emotet: in August 2020, Binary Defense, a cybersecurity research company, said they had spotted a flaw in the coding of the botnet and managed to insert something that disabled it temporarily, slowing its spread across the globe for a period of six months. But the patch was fixed by the criminal gang behind the malware and it spread once more until this month’s mammoth raid.