fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Here’s How Law Enforcement’s Emotet Malware Module Works

Here’s How Law Enforcement’s Emotet Malware Module Works

New research released today provides greater insight into the Emotet module created by law enforcement that will uninstall the malware from infected devices in April.

On January 27th, Europol announced that a joint operation between law enforcement agencies from Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada, and Ukraine took control of the Emotet botnet’s servers and disrupted the malware’s operation.

After the takedown, researchers noticed that the Emotet botnet began to push down a module to infected devices that would uninstall the malware on April 25th, 2021, at 12:00 and later. 

On the 28th, it was confirmed in a US Department of Just press release that “foreign law enforcement” created this module.

“Foreign law enforcement, working in collaboration with the FBI, replaced Emotet malware on servers located in their jurisdiction with a file created by law enforcement, according to the affidavit. This was done with the intent that computers in the United States and elsewhere that were infected by the Emotet malware would download the law enforcement file during an already-programmed Emotet update,” states a Department of Justice press release.

In a conversation with Europol and later emails with Germany’s Bundeskriminalamt (BKA) federal policy agency, we learned that the BKA was responsible for the module.

“Within the framework of the criminal procedural measures carried out at international level, the Bundeskriminalamt has arranged for the malware Emotet to be quarantined in the computer systems affected. An identification of the systems affected is necessary in order to seize evidence and to enable the users concerned to carry out a complete system clean-up to prevent further offences. For this purpose, the communication parameters of the software have been adjusted in a way that the victim systems no longer communicate with the infrastructure of the offenders but with an infrastructure created for the seizure of evidence.” –  German Bundeskriminalamt

Also Read: A Look at the Risk Assessment Form Singapore Government Requires

What Malwarebytes’ analysis reveals

While we now knew that the moduled pushed down to infected devices was created by law enforcement to uninstall the malware, there were still some questions unanswered.

For example, why was the uninstall occurring two months away, and what happens before the April 25th, 2021 uninstall date?

Today, a new analysis by Jérôme Segura and hasherezade of Malwarebytes answers some of these questions.

The new Emotet module distributed by German law enforcement is a 32-bit DLL named ‘EmotetLoader.dll.’

New Emotet module
Source: Malwarebytes

Below you can see the routine that checks for the date, and if it’s April 25th or later, removes Emotet. For more information about the deadline variable, you can reference this Microsoft documentation.

Function to uninstall on April 25th, at 12:00

When removing Emotet, Malwarebytes states the uninstaller deletes only the associated Windows services, deletes its autorun Registry key, and then exits the process.

On the other hand, prior to April 25th, 2021, the module allows Emotet to be installed on the device.

However, the difference is that the Emotet command and control server is now configured to use law enforcement servers located in Germany. As law enforcement controls the botnet, Emotet will not download further modules to the infected PC to perform malicious activity.

“Well, it still loads Emotet but with a big difference. It swaps the C2s for those controlled by LE. So your machine, while it waits for the cleanup to activate, will ping LE servers.” Segura told BleepingComputer.

Malwarebytes states that this new module will be pushed down to all infected devices, effectively replacing the malicious Emotet installs already infecting their computers.

“For victims with an existing Emotet infection, the new version will come as an update, replacing the former one. This is how it will be aware of its installation paths and able to clean itself once the deadline has passed,” explains Malwarebytes.

What is still not answered is why wait two months to uninstall the malware rather than doing it immediately?

Based on the BKA’s statement, it is likely being done to allow law enforcement to gather further evidence, such as the number of infected devices infected and what countries these devices are located. It could also be used to identify corporate victims to warn them of further pontential compromises of their networks.

BleepingComputer’s attempts to get official answer to this question has been unsuccessful.

Also Read: How to Send Mass Email Without Showing Addresses: 2 Great Workarounds

“Please understand that we cannot provide any further information as the investigations are still ongoing,” the German BKA told BleepingComputer in response for more information.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us