Security News > 2021 > April > Emotet malware self-destructs after cops deliver time-bomb DLL to infected Windows PCs
Notorious Windows malware Emotet was automatically wiped from computers yesterday by European law enforcement using a customized DLL. This specially crafted time bomb caused the software to self-destruct on Sunday, April 25.
Ch's Emotet portal showed none of the Emotet C2 servers it tracks were online.
Mariya Grozdanova, a threat intelligence analyst at Redscan, described the cops' deinstallation code to The Register: "The EmotetLoader.dll is a 32-bit DLL responsible for removing the malware from all infected computers. This will ensure that all services related to Emotet will be deleted, the run key in the Windows registry is removed - so that no more Emotet modules are started automatically - and all running Emotet processes are terminated."
The move has similarities to the FBI's cleaning-up of infected Microsoft Exchange Server deployments this month, a move that prompted considerable debate when we revealed the same thing could be lawfully done in the UK. Emotet was particularly nasty in that it spread mainly via malicious attachments in spam emails, and once installed, could bring in additional malware: infected machines were rented out to crooks to install things like ransomware and code that drained victims' online bank accounts.
Interestingly enough, the US Dept of Justice, which also played a role in the seizure of the malware's servers, said in a statement in January that "Foreign law enforcement, working in collaboration with the FBI, replaced Emotet malware on servers located in their jurisdiction with a file created by law enforcement," a file that prevented Emotet's masterminds from ever regaining control of infected PCs. The Feds did not mention anything about a delayed uninstall routine, and stressed any changes to systems were done by foreigners.
In late January, Germany and the Netherlands said they had, via Emotet control servers seized in their jurisdictions, released a software update that quarantined Emotet infections on people's PCs, and directed connections from the malware to evidence-gathering systems, thus ensuring the software nasty's perpetrators could no longer send commands to their botnet.