Most of the time, the fight against malware is a losing game. Malware authors create their code, distribute it to victims through a variety of methods, and by the time security companies catch up, attackers have time to make changes to their code to regain the advantage.
This has been the case since the late 1980s when malware first appeared, and despite claims by most security companies, there is little reason for this to change.
Every now and then we receive good news from security researchers or the authorities. Malware writers can get it wrong and get arrested, or large-scale coordinated efforts bring down larger botnet networks.
However, not all anti-malware operations can be hindered in this way. Some cybercriminals reside in countries that do not extradite their citizens or have a solid understanding of what they are doing.
Emotet is one of the groups that ticks both boxes. Considered to be operating from the former Soviet states, Emotet is also one of the most capable malware groups today, having perfected the “Infect and rent access” model like no other group.
The malware, which was first seen in 2014, has evolved from an unimportant banking trojan to a malicious swiss army knife that, once infected, spreads sideways across their network, steals all sensitive data, then turns around and leases access to infected machines to other groups.
Today, Emotet is scaring the IT departments of companies around the world and giving the cybersecurity industry a hard time.
Le bug d’Emotet
But under the hood, Emotet is just another software. As such, Emotet also has bugs.
In cybersecurity, exploiting malware bugs is like crossing a line, a line many security companies refuse to cross for fear of accidentally harming infected computers.
However, sometimes a rare bug appears that is both safe to exploit and capable of having devastating consequences for the malware itself.
One of these bugs was discovered earlier this year by James Quinn, a malware analyst working for Binary Defense.
It is no accident that Quinn discovered the bug. In recent years, Quinn’s main job has been to hunt down Emotet and keep an eye on his activities, both as part of his job, but also as a personal hobby within the Cryptolaemus group. [Lire l’histoire du groupe Cryptolaemus et de sa traque d’Emotet [ici](https://www.zdnet.fr/actualites/cryptolaemus-le-groupe-d-experts-en-cybersecurite-qui-lutte-contre-emotet-39900205.htm].
In February, while browsing the daily Emotet updates, Quinn noticed a change in Emotet’s code, in one of the payloads that the Emotet botnet was mass-streaming across the internet.
The change concerns Emotet’s “persistence mechanism”, the part of the code that allows malware to survive PC restarts. Quinn noticed that Emotet was creating a Windows registry key and saving an XOR encryption key to it.
Image : Binary Defense
But that registry key wasn’t just used for persistence, Quinn explained in a report. The key was also used in many other Emotet code checks, including its pre-infectious routine.
EmoCrash comes into the picture
Through trial and error, and with subsequent updates to Emotet that refined how the new persistence mechanism worked, Quinn was able to come up with a tiny PowerShell script that exploits the registry key mechanism to crash Emotet itself.
The script, cleverly named EmoCrash, scanned a user’s computer and generated a valid, but malformed, Emotet registry key.
When Quinn tried to deliberately infect a computer with Emotet, the malformed registry key triggered a buffer overflow in Emotet’s code and crashed the malware, preventing users from being infected.
When Quinn was running EmoCrash on computers already infected with Emotet, the script replaced the correct registry key with the malformed one, and when Emotet rechecked the registry key, the malware also crashes, preventing infected devices from communicating with the server. command and control of Emotet.
Quinn had therefore created both an Emotet vaccine and a killswitch. But that was not all
“Two crash logs appeared with event IDs 1000 and 1001, which could be used to identify endpoints with disabled or dead Emotet code,” Quinn said.
In other words, if EmoCrash was deployed over a network, it could allow system administrators to scan or set alerts for these two event IDs and immediately find out when and if Emotet infected their networks.
Putting EmoCrash in the hands of defenders
The Binary Defense team quickly understood that the information on this discovery had to be kept completely secret, to prevent the Emotet group from fixing their code, but also understood that EmoCrash also had to make its way into the hands of the companies. of the whole world.
Unlike many large cybersecurity firms, all of which have decades of history behind them, Binary Defense was founded in 2014 and although it is one of the most promising companies in the industry, it did not have yet the influence and connections needed to get there without spreading word of their discovery.
To do this, Binary Defense worked with Team CYMRU, a company with a long history of organizing and participating in the dismantling of botnet networks.
Working behind the scenes, the CYMRU team ensured that EmoCrash ended up in the hands of Computer Emergency Response Teams (CERTs), who then released it to businesses in their respective jurisdictions.
For six months, the tool has made its way around the world.
Emotet corrects its code
In a telephone interview today, Binary Defense Senior Director Randy Pargman said the tool does not include a telemetry module, so as not to deter companies from installing it on their networks.
Binary Defense may never know how many companies have EmoCrash installed, but Pargman said they receive many messages from companies that have prevented attacks or discovered incidents in progress.
However, Pargman and Quinn believe that the tool had at least some impact on Emotet, as it helped reduce the number of infected machines available to Emotet operators.
Binary Defense doesn’t think the Emotet group discovered their tool, but it is highly likely that the group sensed something was wrong. Since February and in the months that followed, Emotet has undergone several new versions and changes to its code. None of them solved the problem.
The Emotet group ended up succeeding, by accident or thanks to their analyzes. The malware completely changed its persistence mechanism on August 6, six months after Quinn’s discovery.
EmoCrash may not be useful to anyone anymore, but for six months this tiny PowerShell script has helped organizations stay ahead of the malicious group, a rare sight in today’s cybersecurity arena. hui.
And since it’s always fun to watch security researchers hunt down malware operators, Quinn also tried to get a CVE for Emotet’s buffer overflow bug from MITER, the organization that tracks the flaws. security in software. Unfortunately, MITER refused to award a CVE.
Source : “ZDNet.com”
–
:strip_exif()/i/1298020644.gif?resize=150%2C150&ssl=1)
