Home News After 7 Years of Reigning Malicious Terror, Emotet’s Uninstallation Sets in Motion

After 7 Years of Reigning Malicious Terror, Emotet’s Uninstallation Sets in Motion

The international law enforcement agencies released a new malware module to remove the Emotet malware strains from thousands of compromised devices.

BazaCall BazaLoader

The law enforcement and judicial authorities globally have geared up to takedown the infamous email spam botnet Emotet from all infected devices using a malware module. The Emotet botnet is responsible for various malware campaigns affecting multiple organizations over the years across the globe. The operators behind Emotet malware are used to sending millions of spam emails with malicious attachments to infect victims’ devices. The notorious malware, which wreaked havoc in the last seven years, is also linked to various other botnet-based cyber campaigns delivering malicious payloads like TrickBot and Ryuk ransomware by renting its botnet to other cybercriminal groups.

The Takedown of Emotet 

The takedown of Emotet is the result of an international coordinated action performed in January 2021, which disrupted Emotet’s malicious operations. The operation was a collaborative effort between authorities in the Netherlands, Europe, Germany, the U.S., the U.K., France, Lithuania, Canada, and Ukraine, and carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).

Emotet Uninstaller Module

The law enforcement authorities distributed a new Emotet module in the form of a 32-bit EmotetLoader.dll to the users of all infected computers to automatically uninstall the malware. “The version with the uninstaller is now pushed via channels that were meant to distribute the original Emotet. Although currently the deletion routine won’t be called yet, the infrastructure behind Emotet is already controlled by law enforcement, so the bots are not able to perform their malicious action. For victims with an existing Emotet infection, the new version will come as an update, replacing the former one. This is how it will be aware of its installation paths and able to clean itself once the deadline has passed,” Malwarebytes said.

According to Malwarebytes security researcher Jérôme Segura, the uninstaller module deletes the services associated with Emotet, deletes the run key, and moves the file to %temp%, and then exits the process, without disturbing other operations on the infected devices.

Several industry experts stated that the successful removal of Emotet malware will help various organizations and over a million infected systems. “Pushing code via a botnet, even with good intentions, has always been a thorny topic mainly because of the legal ramifications such actions imply. The lengthy delay for the cleanup routine to activate may be explained by the need to give system administrators time for forensics analysis and checking for other infections,” Malwarebytes added.