Saturday, July 13, 2024

EmoCrash – Researchers Exploited a Bug in Emotet Malware to Stop its Distribution

EmoCrash: Recently, the cybersecurity researchers have detected and exploited a bug with infamous Emotet malware to stop its distribution.

Emotet is one of the most notorious email-based malware that offers several botnet-driven spam campaigns and ransomware attacks as a service. 

It includes a flaw that enabled the cybersecurity researchers to initiate a killswitch and stop the malware from affecting the systems for six months. But, the cybersecurity experts have worked out on a vaccine, that is EmoCrash, against the ransomware Emotet.


Emotet first appeared in the year 2014, since then, they emerged into a full-fledged botnet that’s intended to steal account credentials and download. But this malicious malware mysteriously vanished from February, and now again, it re-emerged in early August.

The patch that the experts have developed was named EmoCrash; well, this was created after several trial and error.

A report from Binary Defense threat researcher, James Quinn, tried to infect a clean computer with Emotet intentionally, and he detected that the abnormal registry key triggered a defense overflow in Emotet’s code and struck the malware. 

The result was quite positive as it effectively preventing users from getting affected. Moreover, Quinn had designed both an Emotet vaccine and a killswitch at a time, and here they are mentioned below:-

  • Killswitch, V1
  • Killswitch, V2

EmoCrash would be extended across a network, as it could enable system administrators to examine or to put a setup warning for the two log event IDs. And soon after, they can discover when and if Emotet affected their networks.

Emotet’s New mechanism

Earlier in February, Emotet published a massive codebase overhaul, and this codebase changes several of the installation and resolution mechanisms, offering a polymorphic state-machine to their code stream. 

That’s why the codebase added a coat of obfuscation to the loader, as it makes critique more difficult. One of the key transformations was the replacement of the word list and file generation algorithm that are used by Emotet in previous Emotet installs.

They were replacing the old ones with a new algorithm that was created a filename to gather the malware on each victim system, utilizing a randomly chosen “exe or dll” system filename from the system32 record.

Here they name the file as an exclusive OR (XOR) key, and the XOR key was installed to the volume serial number in little-endian form.

Dev mode

Emotet entered dev mode on February 7, and at that time, the operators of Emotet stopped spamming. After that, they started working on developing their malware, and it continued from February 7 – July 17, 2020. 

Though their distribution of spam was defeated, but, they were not “inactive” through this time; as they proceeded to focus on a few core binary and protocol updates. So, the security experts have warned users to stay safe as this notorious malware may occur anytime.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles