Emotet Malware Destroys Itself From All Infected Computers - Hexafusion Blog | Hexafusion
  • Contact Us At


  • E-Mail Us @

Hexafusion Blog

Emotet Malware Destroys Itself From All Infected Computers


Emotet, the notorious email-based Windows malware behind several botnet-driven spam campaigns and ransomware attacks, was automatically wiped from infected computers en masse following a European law enforcement operation.

The development comes three months after a coordinated disruption of Emotet as part of "Operation Ladybird" to seize control of servers used to run and maintain the malware network. The orchestrated effort saw at least 700 servers associated with the botnet's infrastructure neutered from the inside, thus preventing further exploitation.

Law enforcement authorities from the Netherlands, Germany, the U.S., U.K., France, Lithuania, Canada, and Ukraine were involved in the international action.

Previously, the Dutch police, which seized two central servers located in the country, said it had deployed a software update to counter the threat posed by Emotet effectively. "All infected computer systems will automatically retrieve the update there, after which the Emotet infection will be quarantined," the agency noted back in January.

This involved pushing a 32-bit payload named "EmotetLoader.dll" via the same channels that were used to distribute the original Emotet to all compromised machines. The cleanup routine, which was set to trigger itself automatically on April 25, 2021, worked by removing the malware from the device, in addition to deleting the autorun Registry key and terminating the process.

Now on Sunday, cybersecurity firm Malwarebytes confirmed that its Emotet-infected machine that had received the law enforcement payload had successfully initiated the uninstallation routine and removed itself from the Windows system.

As of writing, Abuse.ch's Feodo Tracker shows none of the Emotet servers are online.

The mass action marks the second time law enforcement agencies have intervened to remove malware from compromised machines.

Earlier this month, the U.S. government took steps to remove web shell backdoors dropped by the Hafnium threat actor from Microsoft Exchange servers located in the country that were breached using ProxyLogon exploits.

Following the court-authorized operation, the Federal Bureau of Investigation said it's in the process of notifying all the organizations from which it had removed web shells, implying the intelligence agency accessed the systems without their knowledge.

News source: https://thehackernews.com/2021/04/emotet-malware-destroys-itself-today.html

A new ransomware strain called "Qlocker" is target...
3.2 Billion Leaked Passwords Contain 1.5 Million R...

By accepting you will be accessing a service provided by a third-party external to https://hexafusion.com/

Customer Login

News & Updates

Hexafusion is proud to announce the launch of our new website at www.hexafusion.com. The goal of the new website is to make it easier for our existing clients to submit and manage support requests, and provide more information about our services for ...

Contact us

Learn more about what Hexafusion can do for your business.

250 - 997 Seymour Street
Vancouver, British Columbia V6B 3M1