Even malware can have bugs: Emotet gang did not notice it for 6 months

Emotet bug was not noticed for half a year and used for a good purpose

Cybercriminals behind Emotet only spotted a bug after 6 months

Malware theme is a never-ending one. As soon as security specialists improve their antimalware tools, the malware creators have a reason to make them better. The battle has started somewhere in the 80s and keeps going all the time. Malware creators are never sleepy, they invent new possibilities to infect their victims PCs with newly made viruses, that become a mystery to encrypt and a problem to solve. But still, some new colors get on the scene and it makes us believe that the good might win someday.

Cyber-criminals are ingenious not only on inventing the schemes of cyber attacks, but also in hiding their tracks. It has been known many of them reside in favorable countries, which might not suspect what's been done, or have their own attitude towards justice and do not extradite their residents. Emotet gang^[1] is suspected to operate somewhere from former USSR which makes it hard for security professionals to get them in court.^[2] The gang is known as one of the best in their field and has never been caught from the very beginning. Most likely they have started their activities around 2013-2014 and have evolved hugely since then.

James Quinn steps in and makes a change in Emotet history

A well know malware analyst James Quinn,^[3] who works at Binary Defense was chasing Emotet for many years now. A passionate botnet tracker and threat researcher has made a significant discovery and crossed the street in front of Emotet gang quite painfully. He has found a rare bug that was not harmful to the botnet victims, but could harm the malware itself. Keeping an eye an all recent malware changes he has noticed there is a strange change in the payload, which might become a key to stopping the Emotet.

The bug was related to changes in Windows registry. Quinn has made an Anti-Emotet script that has literally made the Emotet crash. No accident it was named EmoCrash and it was really a big crash. Not only stopping Emotet botnet in the already infected PC's, but also preventing the new infections for clean PC's. That was a huge two-sided step in the whole antimalware fight, especially painful for the Emotet gang. But that was not the end. James Quinn said:^[4]

two crash logs would appear with event ID 1000 and 1001, which could be used to identify endpoints with disabled and dead Emotet binaries after deployment of the killswitch (and a computer restart).

Emotet is back on track with improvements after 6 months under EmoCrash

The EmoCrash has made the us believe this botnet might be down. In complete secrecy, the Binary Defense team with James Quinn ahead has decided to share this discovery and use it for good. They have joined with a company named Team CYMRU and got in contact with Computer Emergency Response Teams (CERTs),^[5] which has opened the gates to reach the Emotet affected companies easily.

It has been exactly half a year to pass by with the EmoCrash being used. A very nice step and a new experience in the cyber world had to end once the Emotet gang has made improvements and got back in cybercriminals world with the new power. However, this is surely going to be noted in the history of cyberwar.