Remaining Emotet infections uninstalled by German police

A German law enforcement operation Sunday uninstalled all remaining Emotet malware from infected computers around the globe.

The police action follows an international law enforcement operation in January coordinated by Europol and Eurojust that disabled Emotet infections by taking control of the infrastructure. Law enforcement officials used their control of this infrastructure to issue uninstall commands to devices affected by Emotet, the massive malware, botnet and phishing operation that was prolific until its takedown three months ago.

The file executing the command, EmotetLoader.dll, was distributed to infected computers with a command to uninstall the malware at 1 p.m. April 25, based on the system clock.

In an email to SearchSecurity, a Europol spokesperson confirmed previous reports that the action was led by Germany's Federal Criminal Police Office, also known as Bundeskriminalamt (BKA). The spokesperson said Europol was not involved.

Asked why the uninstaller didn't activate until April 25, a BKA spokesperson directed SearchSecurity to a passage from a Jan. 27 press release by the office. The passage explained that the January Europol action made it so the Emotet infection would no longer be dangerous; however, it was still possible to collect evidence from the installed malware.

"Within the framework of the criminal procedural measures carried out at international level, the Bundeskriminalamt has arranged for the malware Emotet to be quarantined in the computer systems affected. An identification of the systems affected is necessary in order to seize evidence and to enable the users concerned to carry out a complete system clean-up to prevent further offences," the passage read. "For this purpose, the communication parameters of the software have been adjusted in a way that the victim systems no longer communicate with the infrastructure of the offenders but with an infrastructure created for the seizure of evidence."

Emotet was first discovered as a banking Trojan in 2014, and while it's known for its evolution to botnets, its infamy goes even deeper. Threat actors associated with Emotet have sold access to compromised systems to other threat actors, including but not limited to ransomware operators.

According to another BKA press release dated April 16, the malware in "more than 50,000 IT systems" affected by Emotet was redirected to the police-controlled infrastructure for evidence collection.

A blog by Malwarebytes Labs provided a technical breakdown of the uninstaller via an update to its Jan. 29 Emotet takedown post. In its explanation of the self-executing module, the post called the uninstall routine "very simple."

"It deletes the service associated with Emotet, deletes the run key, attempts (but fails) to move the file to %temp% and then exits the process," the post read.

The end of Malwarebytes' blog post mentioned the "thorniness" of law enforcement using a botnet to distribute code: "Pushing code via a botnet, even with good intentions, has always been a thorny topic mainly because of the legal ramifications such actions imply. The DOJ affidavit makes a note of how the 'Foreign law enforcement agents, not FBI agents, replaced the Emotet malware, which is stored on a server located overseas, with the file created by law enforcement.'"

A similar situation occurred earlier this month when the FBI, without consent, deleted hundreds of web shells on Microsoft Exchange servers vulnerable to ProxyLogon and other vulnerabilities.

Alexander Culafi is a writer, journalist and podcaster based in Boston.