Emotet, a notorious email-based malware behind several botnet-driven spam campaigns and ransomware attacks, contained a flaw that allowed cybersecurity researchers to activate a kill-switch and prevent the malware from infecting systems for six months.
“Most of the vulnerabilities and exploits that you read about are good news for attackers and bad news for the rest of us,” Binary Defense’s James Quinn said.
“However, it’s important to keep in mind that malware is software that can also have flaws. Just as attackers can exploit flaws in legitimate software to cause harm, defenders can also reverse-engineer malware to discover its vulnerabilities and then exploit those to defeat the malware.”
The kill-switch was alive between February 6, 2020, to August 6, 2020, for 182 days, before the malware authors patched their malware and closed the vulnerability.
Since its first identification in 2014, Emotet has evolved from its initial roots as a banking malware to a “Swiss Army knife” that can serve as a downloader, information stealer, and spambot depending on how it’s deployed.
Early this February, it developed a new feature to leverage already infected devices to identify and compromise fresh victims connected to nearby Wi-Fi networks.
Along with this feature update came a new persistence mechanism, according to Binary Defense, which “generated a filename to save the malware on each victim system, using a randomly chosen exe or dll system filename from the system32 directory.”
The change in itself was straight-forward: it encrypted the filename with an XOR key that was then saved to the Windows registry value set to the victim’s volume serial number.
The first version of the kill-switch developed by Binary Defense, which went live about 37 hours after Emotet unveiled the above changes, employed a PowerShell script that would generate the registry key value for each victim and set the data for each value to null.
This way, when the malware checked the registry for the filename, it would end up loading an empty exe “.exe,” thus stopping the malware from running on the target system.
“When the malware attempts to execute ‘.exe,’ it would be unable to run because ‘.’ translates to the current working directory for many operating systems,” Quinn noted.
EmoCrash to Thwart Emotet
That’s not all. In an improvised version of the kill-switch, called EmoCrash, Quinn said he was able to exploit a buffer overflow vulnerability discovered in the malware’s installation routine to crash Emotet during the installation process, thereby effectively preventing users from getting infected.
So instead of resetting the registry value, the script works by identifying the system architecture to generate the install registry value for the user’s volume serial number, using it to save a buffer of 832 bytes.
“This tiny data buffer was all that was needed to crash Emotet, and could even be deployed prior to infection (like a vaccine) or mid-infection (like a killswitch),” Quinn said. “Two crash logs would appear with event ID 1000 and 1001, which could be used to identify endpoints with disabled and dead Emotet binaries after deployment of the killswitch (and a computer restart).”
To keep it a secret from threat actors and patch their code, Binary Defense said it coordinated with Computer Emergency Response Teams (CERTs) and Team Cymru to distribute the EmoCrash exploit script to susceptible organizations.
Although Emotet retired its registry key-based installation method in mid-April, it wasn’t until August 6 when an update to the malware loader entirely removed the vulnerable registry value code.
“On July 17, 2020, Emotet finally returned to spamming after their several months-long development period,” Quinn said. “With EmoCrash still active at the start of their full return, up until August 6, EmoCrash was able to provide total protection from Emotet.”
“Not bad for a 832-byte buffer!,” he added.