Cybersecurity researchers have discovered a vulnerability in the Emotet malware and have been using it for six months to disrupt the distribution and operation of this threat. The vulnerability was discovered by James Quinn, a researcher at security company Binary Defense, who has been tracking Emotet for years to understand how it works and find ways to stop its threats.
According to James Quinn: Most vulnerabilities and exploits that appear in the news benefit attackers and harm other users. However, it is important to note that malware is software that can also be flawed. Just as attackers can exploit flaws in legitimate software to do harm, defenders can reverse engineer malware to discover vulnerabilities and exploit them to combat malware.
How Cybersecurity Researchers discovered this vulnerability
The vulnerability was discovered in February while Quinn was studying the code for an Emotet update. There he discovered that the malware kept an XOR encryption key inside a new Windows registry key. This key was designed for the system that prevented malware from being disabled after restarting computers.
This took advantage of the discovery to write a PowerShell script that used the registry key mechanism to scan the system and generate a misshapen registry key. In this way, an error was forced in Emotet and it stopped working. This prevented the Emotet code from infecting new computers and at the same time prevented communication between the computers already infected with the Command and Control servers.
Emotet is one of the most prominent malicious programs today. It was discovered in 2014 and is believed to operate from post-Soviet countries. It went from being a minor banking Trojan to a major threat with notorious scalability. The operation of Binary Defense and Team CYMRU represents a blow to these operations and that is why we can consider this as a victory and they are more than welcome.
