EmoCrash: An Emotet Kill Switch For Defense

From cyware.com

EmoCrash: An Emotet Kill Switch For Defense

Vulnerabilities and exploits are often bad news for product users. However, malware can also have flaws that can be used by security researchers to defeat the malware. Researchers at Binary Defense found one exploitable vulnerability in a prolific and highly successful trojan malware, Emotet.

Unique threats require unique solutions

Binary Defense researcher James Quinn discovered a buffer overflow vulnerability in Emotet’s installation process and leveraged it to develop a kill switch. This data buffer could be deployed before infection (like a vaccine) or mid-infection (like a kill switch).

  • In August 2020, researchers disclosed developing versions V1 and V2 of the kill switch “EmoCrash,” and distributed it to defenders around the world on February 12, 2020, with strict instructions to not post it publicly.
  • The killswitch was alive from February 6, 2020 to August 6, 2020. After this, Emotet’s developers sent out a core loader update to remove the vulnerable registry value code, thereby disabling the kill switch.

Read more…