Emotet malware is a notorious botnet-driven spam campaign and ransomware attack, which was discovered in 2014.
While security researchers at Binary Defense discovered a flaw in Emotet itself, that allowed the researchers to activate a kill-switch which prevented the malware from infecting systems for about six months.
The kill-switch was operational between February 6 to August 6, 2020, which is approximately 182 days, before the malware authors issued a fix that closed the exploited vulnerability.
How the Emotet Malware has evolved since 2014
Emotet, since its discover in 2014, has evolved from a banking malware to a rather "Swiss Army knife" that could serve as both a downloader and spambot, which is capable of stealing information, depending on how it is deployed.
It added a new feature this February, that leverage on already infected devices to compromise fresh victims' devices that are connected to nearby Wi-Fi networks, coupled with a persistence mechanism which generated a filename to save the malware on the victim system, using a randomly generated exe or dll system filename from the system32 directory.
The new capability in itself help to encrypt the filename with an XOR key which then is saved to the Windows registry value assigned to the victim's volume serial number.
Similar to Emotet, TrickBot also has been mostly distributed via spam campaigns, but it is seen mostly in cahoots with other malware. And those distributed by the Emotet spam-sending botnet to deliver Ryuk ransomware, which the operators have extended its capabilities to a more advanced malware delivery vehicle.
How the kill-switch developed by Binary Defense worked
The kill-switch initial version developed by Binary Defense went live about 37 hours after the new Emotet changes was discovered, employing a PowerShell script that generate the registry key value for each victim and setting the data for each value back to null.
And when the malware checked at the registry for the filename, with this move, it ends up loading an empty exe ".exe" which then stops the malware from running on the victims system. The attempts by the malware to execute '.exe' would be unable to run because '.' translates to the current working directory for several perating systems.
Additionally, there is an improvised version of the kill-switch, called EmoCrash, which according to the researchers was able to exploit a buffer overflow vulnerability discovered in the malware's installation routine, that could crash Emotet during the installation process, and effectively prevent the systems from getting infected.