Details of Emotet uninstallation by law enforcement officials

[German]Emotet malware will be automatically removed from Windows machines on April 25, 2021. This is done through a cleanup feature that International Law Enforcement installs on infected systems. Now there are some details about what happens during the uninstall process.


Emotet: A review

Emotet is a family of computer malware in the form of macro viruses that infect recipients with Trojans via the attachment of very genuine-looking emails. When a recipient opens the attachment or attachment of the email, modules with malicious functions are reloaded and made to run.

The Emotet group has been responsible for numerous successful ransomware attacks against companies, government agencies and institutions worldwide. Emotet was considered to be the most dangerous malware in the world at the moment and infected a high number of IT systems of companies, authorities and institutions, in addition to computers of hundreds of thousands of private individuals.

As a so-called "downloader", Emotet had the function of infecting a victim system unnoticed and reloading further malware, for example to manipulate online banking, to spy out stored passwords or to encrypt the system for blackmail. The use of this "botnet" created by the perpetrators, together with the reloading of any malware, was offered for a fee in the "underground economy". Therefore, Emotet's criminal business model can be called "malware-as-a-service."

The week it had become known that international law enforcement agencies from Germany, the Netherlands, Ukraine, Lithuania, France, as well as England, Canada and the United States, have been taken over the infrastructure of the malware Emotet with the support of Europol and Eurojust to disrupt the botnet. The details of the action can be found in the blog post German BKA initiate a takedown of Emotet malware infrastructure.

Law enformenent plans to uninstall Emotet

By taking over the Emotet Command & Control (C&C) servers, law enforcers were able to modify the malware reloading function via the C&C servers and install their own modules on the infected victim systems. The malicious functions were disabled at the same time. At the same time, the victim systems could only communicate with the controlled C&C servers. Security researchers have also noticed that an uninstall routine got onto the systems, which is supposed to uninstall the malware on April 25, 2021. I reported about this in the blog post Emotet reportedly uninstalls itself on April 25, 2021.


It is currently unclear which law enforcement officials are responsible for the quarantine and uninstall routines. There have also been discussions as to whether such a thing is permissible in Germany. The U.S. law enforcement had confirmed in this announcement that they were working internationally to clean infected computers from Emotet. 

Foreign law enforcement, working in collaboration with the FBI, replaced Emotet malware on servers located in their jurisdiction with a file created by law enforcement, according to the affidavit. This was done with the intent that computers in the United States and elsewhere that were infected by the Emotet malware would download the law enforcement file during an already-programmed Emotet update. The law enforcement file prevents the administrators of the Emotet botnet from further communicating with infected computers. The law enforcement file does not remediate other malware that was already installed on the infected computer through Emotet; instead, it is designed to prevent additional malware from being installed on the infected computer by untethering the victim computer from the botnet.

It only states that updates have been distributed to infected computers that prevent Emotet botnet administrators from further communicating with infected computers. This update does not remove other malware that has already been installed on the infected computer via Emotet. However, it should prevent further malware from being installed on the infected computer by disconnecting the victim's computer from the botnet. FBI employees have also informed hosters around the world about IP addresses that communicate with Emotet C&C servers, which indicates infected computers.

There is another interesting piece of information in this Malwarebytes article. Also there, it is noted that injecting code via a botnet is a tricky issue, mainly because of the legal consequences that such actions entail. The U.S. Department of Justice (DOJ) affidavit notes how the "foreign law enforcement officials, not FBI agents, replaced the Emotet malware stored on a server overseas with the file created by law enforcement." So it is a law enforcement agency, though it is not clear who is behind it.Bleeping Computer had checked with the BKA, but has not learned any more details, according to this article.

Uninstall details

Now there are new findings about what will happen during the Emotet uninstall on April 25, 2020. Security analysts from Malwarebytes have looked at the routines and published their findings (see the following tweet).

Malwarebytes: Emotet uninstall analysis

The delivered EmotetLoader.dll file exports three functions to uninstall the malware. One function contains the check whether the April 25, 2021 deadline has been reached or exceeded. If this is the case, the cleanup is started via an uninstall function. This simply deletes all services that are related to Emotet. In addition, the run key in the Windows registry is removed, so that no more Emotet modules are started automatically. And all running Emotet processes are terminated. The exact paths to the registry etc. can be found in the Malwarebytes blog post.

Similar articles:
EmoCrash protectet systems for 6 months against emotet-infections
Cryptolaemus and the fight against Emotet
Microsoft warns of massive Emotet campaign
EmoCrash protectet systems for 6 months against emotet-infections
Warning about a new Emotet-Ransomeware campaign (Sept. 2020)
Microsoft warns of massive Emotet campaign
Emotet Trojan can overload computers on the network
Emotet C&C servers deliver new malware
FAQ: Responding to an Emotet infection
Warning about a new Emotet-Ransomeware campaign (Sept. 2020)
Emotet malware comes as a supposed Word update
New Emotet Campaign during the Holidays 2020
German BKA initiate a takedown of Emotet malware infrastructure
Emotet reportedly uninstalls itself on April 25, 2021

Cookies helps to fund this blog: Cookie settings


This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *