{"id":18475,"date":"2021-01-28T01:02:59","date_gmt":"2021-01-28T00:02:59","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=18475"},"modified":"2021-01-29T01:52:23","modified_gmt":"2021-01-29T00:52:23","slug":"emotet-reportedly-uninstalls-itself-on-march-25-2021","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2021\/01\/28\/emotet-reportedly-uninstalls-itself-on-march-25-2021\/","title":{"rendered":"Emotet reportedly uninstalls itself on April 25, 2021"},"content":{"rendered":"

[German<\/a>]Currently, it's reported, that the Emotet malware will automatically uninstall itself from infected systems on April 25, 2021 (1st I reported March) at 12:00 a.m CET. However, it is unclear to me who exactly is behind this action – the German BKA and the Dutch police are mentioned. Here is the information that has just been leaked via security researchers and Europol.<\/p>\n

<\/p>\n

Emotet C&C server seized<\/h2>\n

\"\"\"\"A few hours ago it became known that law enforcement agencies (BKA, Europol etc.) seized the infrastructure of the Emotet malware and took control of its servers. In Germany alone, 17 servers have been taken over. I had reported about this action in the blog post German BKA initiate a takedown of Emotet malware infrastructure<\/a>. There it was still said that the Emotet malware would be sent \"into quarantine\" on the victim systems. In addition, German Bundeskriminalamt (BKA) logs the IP addresses of the victim systems that contact the Emotet C&C servers. Then, the providers are to be informed so that they can notify the customers about the infection.<\/p>\n

Emotet uninstallation scheduled for April 25, 2021?<\/h2>\n

A Twitter user with the alias mikream noticed a few hours ago that all C&C.servers that can still be contacted are distributing a new payload that is supposed to remove an Emotet infection via script on March 25, 2021 at 12:00. This can be seen from the following tweets<\/a>, whereby eight C&C servers, which according to the IP are located in Germany, are delivering this payload.<\/p>\n

\"Emotet-Update<\/a><\/p>\n

Addendum:<\/strong> The end date, that triggers the uninstall, may be April 25, 2021, because the month is counted in C from 0-11 \u2013 see also this tweet<\/a>.<\/p><\/blockquote>\n

Unclear who is behind the action<\/h2>\n

There is some discrepancy regarding information on who exactly is behind the action. Catalin Cimpanu writes on ZDNet.com<\/a> that Dutch police state that two out of three of the primary Emotet command-and-control (C&C) servers are located in the Netherlands and have been seized. This source says that the Dutch police are using access to these two key servers to distribute a timebombed Emotet update to all infected hosts.<\/p>\n

What makes me suspicious, however, are the IP addresses given in the above tweet, which refer to the Open Telekom Cloud and German sites. Bleeping Computer, on the other hand, writes in this article<\/a>:<\/p>\n

In a phone call with Europol's press office, BleepingComputer was told that the German Bundeskriminalamt (BKA) federal police agency was responsible for this action. The press office, though, did not know the date that law enforcement would uninstall the malware.<\/p><\/blockquote>\n

They cite a phone call with the press department of Europol, which claims German Bundeskriminalamt (BKA) federal police agency was responsible for this action. Bleeping Computer writes that it is unclear why law enforcement waited two months to uninstall the malware. However, two questions are on my mind:<\/p>\n