Researchers at Binary Defense, an information security company, managed to turn the tables on cybercriminals by exploiting a vulnerability in the Emotet malware in order to temporarily halt its spread. This case is special because normally when we talk about vulnerabilities, they are usually found in commonly used software packages, and it’s the cybercriminals exploiting them. This case shows that cybercriminals themselves are vulnerable to their own methods.
The Emotet malware has been a consistent threat to many organisations, as described by James Quinn, the Binary Defense researcher who first discovered the vulnerability:
“Emotet is a prolific and highly successful email-based malware, with a primary focus on email theft and loading additional malware as a service. Most commonly identified by its three distinct botnets and fairly obfuscated code flow, Emotet is a unique and persistent threat to organizations of all sizes.”
The killswitch developed by the researchers has been active since February 6, but to avoid the malware developers patching the flaw, the researchers kept it largely secret by only sharing it among the infosec community. Only after the vulnerability was finally patched by a core loader update on August 6 did the researchers decide to finally go public with their findings.
The story began in early February when a large code overhaul was released for Emotet. Among the changes was the use of a new registry value, based on the volume’s serial number. This contained the encrypted filename used to save the malware. On noticing this, Quinn set about developing his killswitch, and within 37 hours, he had developed an initial PowerShell script that would prevent Emotet from running. Unfortunately, it would not prevent it from installing, so he began refining it.
Within 48 hours of the Emotet code release, he had developed a new version that exploited a vulnerability in Emotet’s installation routine, namely a simple buffer overflow. The new script, dubbed EmoCrash, functioned as both a vaccine to protect uninfected systems and a killswitch for infected systems. Quinn describes its function, which is surprisingly simple:
“Packaged into a nice usable PowerShell script (which we named EmoCrash), this utility would identify the user’s architecture and then generate the corresponding install registry value for the user’s volume serial number. It would then generate a buffer of 0x340 (832) bytes, which it would save to the new registry value’s data.”
Updates were subsequently released for Emotet that affected the script’s effectiveness, but it was not until August 6 when a core loader update removed the vulnerable code and rendered the script ineffective. By this time, EmoCrash had protected numerous systems for six months and enabled organisations to detect and mitigate ongoing Emotet infections.
While any win against the cybercriminals is welcome, it’s always important to have a good cybersecurity strategy. With our managed IT support services at Pro-Networks, we can help you find a strategy that both suits your budget and protects your organisation from the risks it faces from cyberspace.