Emotet's Temporary Cure.

Malware is a true pain in the butt for everyone. They are created by authors and sent out. Companies or individuals are hit. Security teams and firms are scrambling to get things under control. A big mess. Sometimes security researchers or law enforcement authorities do give some good news.


Emotet a malware gang has messed up. Working within territories of the former Soviet Union. Emotet is one of today's most skilled malware groups, managing a near-perfect infect-and-rent-access scheme.


Emotet malware which was first seen in 2014, started as a banking trojan into malware that can be comparable to a swiss-army knife. After it is planted in the victim's system. It infects the entire network, grabs any sensitive data then has access to the infected hosts and other groups.




Even as Emotet being such a unique piece of Malware. It has bugs. A rare bug was discovered which was safe to exploit and also screws over the malware. In the cyber-security industry, there's a very dangerous line when it's trying to mess with malware. James Quinn, a malware analyst working for Binary Defense has discovered such a bug which is safe to exploit and can screw over malware.




James was going through Emotet updates in February then he spotted a change in the Emotet code. The Emotet botnet payload was mass-spamming across the internet. It's persistence code, which allows the malware to survive PC reboots. He noticed the malware was creating a Windows registry key and saving an XOR cipher key inside it.


James worked hard and went through numerous challenges on how the persistence coding works. He made a PowerShell script that exploited the registry key and crashes Emotet. He dubbed it EmoCrash.



James did an experiment, he tried to infect a clean computer with Emotet. EmoCrash caused a buffer overflow in Emotet's code and crashed the malware. A counter to Emotet.


When Quinn ran EmoCrash on computers already infected with Emotet, the script would replace the good registry key with the malformed one, and when Emotet would re-check the registry key, the malware would crash as well, preventing infected hosts from communicating with the Emotet command-and-control server.


James made an Emotet vaccine and a killswitch. But apparently that's not all.


"Two crash logs would appear with event ID 1000 and 1001, which could be used to identify endpoints with disabled and dead Emotet binaries," James said on ZDNet.


If EmoCrash was deployed across a network. In turn, could allow system admins to scan or set up alerts for these two log event IDs and trace when and if Emotet infected their networks.



The Binary Defense team realize the advantage they had and need to make sure Emotet does not fix their code so they kept it under wraps but they needed to distribute the code to companies to stop Emotet. This sounds like a Marvel movie plot. So Binary Defense worked with Team CYMRU, a company with a history of organizing and participating in botnet takedowns.


Working behind the scenes, Team CYMRU made sure that EmoCrash made its way into the hands of CERTs (Computer Emergency Response Teams) Which then spread to many different companies.



After Binary Defense efforts with CYMRU to push EmoCrash, they received many messages from companies that prevented attacks or discovered ongoing incidents. They believe the Emotet group has yet find out the problem but knew something wasn't working as they released new versions with changes in their code. But sadly on the 6th of this month, they did fix the EmoCrash exploit. Props to James Quinn which made a tool that allowed companies get ahead on Malware and gain an advantage.

Posted on Aug 15, 2020 1:27:00 PM by Marcos Xochihua in Cyber Security

Marcos Xochihua

Written by Marcos Xochihua

Marcos Xochihua is a Network Security major and Student Ambassador at University of Advancing Technology (UAT)


Email me when there is a new post.

I'd like more information about UAT

Lists by Topic

see all

Recent Posts

Posts by Topic

see all

Posts by Author

see all