Law enforcement wipes out Emotet malware with self-destruct code

Get a free Techzine subscription!

EU cops use a customized Windows library to cause the malware to erase itself

Windows malware Emotet erased itself from thousands of computers this week. European law enforcement sent the self destruct order using a customized Windows Dynamic Link Library, or DLL.

The European authorities had built a sort of timer bomb that instructed the software to self-destruct on Sunday, April 25. The cops sent the code to the Emotet-infected computers at the end of January. They sent the code by using the malware’s own command-and-control (C2) infrastructure. They were able to do this because they had seized the C2 code in an earlier police operation that involved multiple countries.

Attacking the malware from the inside

Europol announced the the successful operation in a press release on January 27. “To severely disrupt the EMOTET infrastructure, law enforcement teamed up together to create an effective operational strategy,” they said. “It resulted in this week’s action whereby law enforcement and judicial authorities gained control of the infrastructure and took it down from the inside.”

“The infected machines of victims have been redirected towards this law enforcement-controlled infrastructure. This is a unique and new approach to effectively disrupt the activities of the facilitators of cybercrime.”

Using the Emotet’s infrastructure against itself, Europol was able to set the time bomb that went off on April 25. Malware monitoring groups like Malware tracker site Abuse.ch documented the successful erasure. Their Emotet portal showed none of the Emotet command and control servers it tracks were online.

The US Dept of Justice also played a rolew in seizing Emotet’s command structure. They said in a statement in January that “foreign law enforcement, working in collaboration with the FBI, replaced Emotet malware on servers located in their jurisdiction with a file created by law enforcement,” a file that prevented Emotet’s masterminds from ever regaining control of infected PCs.

The DOJ has remained silent about the delayed self-erasure routine, and they stressed that it was the Europeans who had made changes to Windows machines in the US.