Thursday, October 3, 2024
HomeMalwareEmoCrash - Researchers Exploited a Bug in Emotet Malware to Stop its...

EmoCrash – Researchers Exploited a Bug in Emotet Malware to Stop its Distribution

Published on

EmoCrash: Recently, the cybersecurity researchers have detected and exploited a bug with infamous Emotet malware to stop its distribution.

Emotet is one of the most notorious email-based malware that offers several botnet-driven spam campaigns and ransomware attacks as a service. 

It includes a flaw that enabled the cybersecurity researchers to initiate a killswitch and stop the malware from affecting the systems for six months. But, the cybersecurity experts have worked out on a vaccine, that is EmoCrash, against the ransomware Emotet.

- Advertisement - EHA

EmoCrash

Emotet first appeared in the year 2014, since then, they emerged into a full-fledged botnet that’s intended to steal account credentials and download. But this malicious malware mysteriously vanished from February, and now again, it re-emerged in early August.

The patch that the experts have developed was named EmoCrash; well, this was created after several trial and error.

A report from Binary Defense threat researcher, James Quinn, tried to infect a clean computer with Emotet intentionally, and he detected that the abnormal registry key triggered a defense overflow in Emotet’s code and struck the malware. 

The result was quite positive as it effectively preventing users from getting affected. Moreover, Quinn had designed both an Emotet vaccine and a killswitch at a time, and here they are mentioned below:-

  • Killswitch, V1
  • Killswitch, V2

EmoCrash would be extended across a network, as it could enable system administrators to examine or to put a setup warning for the two log event IDs. And soon after, they can discover when and if Emotet affected their networks.

Emotet’s New mechanism

Earlier in February, Emotet published a massive codebase overhaul, and this codebase changes several of the installation and resolution mechanisms, offering a polymorphic state-machine to their code stream. 

That’s why the codebase added a coat of obfuscation to the loader, as it makes critique more difficult. One of the key transformations was the replacement of the word list and file generation algorithm that are used by Emotet in previous Emotet installs.

They were replacing the old ones with a new algorithm that was created a filename to gather the malware on each victim system, utilizing a randomly chosen “exe or dll” system filename from the system32 record.

Here they name the file as an exclusive OR (XOR) key, and the XOR key was installed to the volume serial number in little-endian form.

Dev mode

Emotet entered dev mode on February 7, and at that time, the operators of Emotet stopped spamming. After that, they started working on developing their malware, and it continued from February 7 – July 17, 2020. 

Though their distribution of spam was defeated, but, they were not “inactive” through this time; as they proceeded to focus on a few core binary and protocol updates. So, the security experts have warned users to stay safe as this notorious malware may occur anytime.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Latest articles

Northern Ireland Police to Pay £750,000 Fine Following Data Breach

The Police Service of Northern Ireland (PSNI) has been ordered to pay a £750,000...

ANY.RUN Upgrades Threat Intelligence to Identify Emerging Threats

ANY.RUN announced an upgrade to its Threat Intelligence Portal, enhancing its capabilities to identify...

Cisco Nexus Vulnerability Let Hackers Execute Arbitrary Commands on Vulnerable Systems

A critical vulnerability has been discovered in Cisco's Nexus Dashboard Fabric Controller (NDFC), potentially...

Hackers Now Exploit Ivanti Endpoint Manager Vulnerability to Launch Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of a new...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

DCRAt Attacking Users Via HTML Smuggling To Steal Login Credentials

In a new campaign that is aimed at users who speak Russian, the modular...

LummaC2 Stealer Leverages Customized Control Flow Indirection For Execution

The LummaC2 obfuscator employs a novel control flow protection scheme designed specifically for its...

Octo2 Android Malware Attacking To Steal Banking Credentials

The original threat actor behind the Octo malware family has released a new variant,...