Exploiting Emotet to stop itself – Malware has vulnerabilities too

August 27, 2020
emotet botnet malware kill-switch antimalware

Cybersecurity researches have recently discovered a flaw in Emotet malware that allowed for a ‘kill-switch’ to get activated that would stop the banking trojan malware from spreading and infecting systems for up to six months. The Emotet malware gained notoriety for affecting 5% of organizations globally.

Typically, all people got used to hearing that vulnerabilities are bad news for everyone. When we all forget that malware is also codes, micro applications, scripts, and software. Malware is software, and it can also have vulnerabilities and flaws. We know that the cyber-attackers who designed these trojans made them exploit weaknesses of a legitimate application to cause damage and to carry out their ill intention towards their targets. Cyber-defenders, however, are there to perform reverse engineering techniques to discover the malware’s flaws to defeat its functions.

The botnet Emotet’s kill-switch was active for 7 months from February to early August 2020, until the malware received updates from the author to remove the discovered vulnerability.

The financial trojan – Emotet was first identified in 2014, and it has evolved from its main category, which is a banking malware. This ‘swiss army knife’ type of malware can serve their operators as a file downloader, data stealer, and spammer botnet basing on how it is set up to deploy. Earlier in February this year, it has gained a new feature to use already infected devices and spread itself using the Wi-fi connectivity to the next interconnected computer systems.


The kill-switch to Emotet Spam Botnet

A version of the kill-switch that exploited the buffer overflow vulnerability during the install routine of the malware is called EmoCrash, which successfully crashes the installation process hence effectively stopping users from getting infected. This little data buffer present within the EmoCrash script was all that’s needed to smash the botnet, and it can even be applied before getting infected like a vaccine.

Even though it took 3 months for the Emotet operators to remove its registry key-based installation, it wasn’t till August 2020 that they can update the malware loader to remove the discovered registry value code vulnerability that would allow the botnet to again continue its botnet functions.


Malware is software too. Hence, we encourage organizations to get up to date security definitions, fraud prevention, anti-malware, and anti-phishing solutions that would protect your data and financial information from cybercriminals that exploit on systems with weak internetwork protection and scanners.

About the author

Leave a Reply