Last Chance for Forensics Teams Ahead of Emotet Sunday Deadline

Written by

IT security teams have until Sunday to hunt for evidence of Emotet infection, and potentially related malware, before the notorious botnet is removed from all global devices on Sunday, experts have warned.

Back in January, Europol announced that law enforcers had been able to seize the infrastructure used by Emotet in a coordinated international operation.

On Sunday April 25, they will deliver an update (EmotetLoader.dll) file designed to erase the malware from all infected machines globally.

While Emotet started life as a banking Trojan, in recent years it grew into a more complex, modular threat. Among other things, it was used to gain initial access into organizations — which could then be sold to ransomware groups and other gangs to deploy further malware.

Those who were infected with Emotet but don’t know it yet therefore have just days to carry out vital forensics, argued Redscan threat intelligence analyst, Mariya Grozdanova.

“The run key in the Windows registry of infected devices will be removed to ensure that Emotet modules are no longer started automatically and all servers running Emotet processes are terminated. However, it’s important to note that the switch-off does not remove other malware that has been installed on an infected computer via Emotet,” she explained.

“This leaves security teams with only a few more days to uncover Emotet artifacts and whether their organization has been compromised by Emotet, as well as to establish whether other related malware exists on their networks. Unless proper forensic analysis is conducted now, security teams will miss a unique opportunity to identify malware strains that may have the same MO as Emotet, leaving them in a weaker position to defend against future attacks.”

Security experts also warned that those members of the Emotet gang still at large would likely regroup, possibly with improved malware strains.

“While the takedown of Emotet is a big win for all but cyber-criminals, efforts made to replace it with malware such as BazarCall and IcedID demonstrate that cyber-criminal outfits are increasingly organized, ambitious and professionalized,” said Digital Shadows.

“This will almost certainly remain the same in the future; the problem does not end with Emotet, but don’t let this convince you that defenders and law enforcement alike won’t be hot on the tails of any group ambitious enough to replace it.”

What’s hot on Infosecurity Magazine?