Vigilante Hacker Disrupts Emotet Botnet Malware With Ironically Comical GIF Assault
The sheer number of malware campaigns operating online targeting users, in an attempt to steal information or extort money, is staggering. One of the recently revived botnets targeting users is called Emotet, which typically loads various types of malware and spreads via Wi-Fi networks. A vigilante hacker, however, has now stepped in to replace the nefarious payloads sent by these botnets with glorious animated GIFs.
The identity of the vigilante hacker or hackers is unknown, but their actions are essentially preventing victims from being compromised by malware. The sabotage of the Emotet botnet is reportedly severely impacting a large portion of Emotet's operation. Currently, about 25% of all Emotet payloads have been replaced with these GIFs.
Somebody appears to be replacing Emotet payloads with this GIF of James Franco https://t.co/YCCSFwfTZb pic.twitter.com/oSPGka9l6g
— Kevin Beaumont (@GossiTheDog) July 22, 2020
A bit of detail on how Emotet works helps provide some understanding of what exactly the vigilante is doing. The botnet spams computer users with emails that claim to be business-related communications. These emails typically contain malicious Office documents or a link to a malicious Office file the user is asked to download. If the user opens or downloads the malicious files, clicking links inside the files turns on the "Enable Editing" feature to allow macros to be executed. Those macros then download Emotet malware to the compromised machine.
#Emotet の跡地でこのおじさんに遭遇する機会が増えました。 pic.twitter.com/pozYFpPoiv
— tike (@tiketiketikeke) July 22, 2020
The group operating Emotet is currently storing malware components within hacked WordPress websites. To control those hacked websites, the operators of the botnet are using web shells, but the web shells the operators chose aren't the best available. Making matters worse is that the botnet operators are using open-source scripts with the same password for all web shells.
That act exposed the Emotet botnet architecture to other hackers who were finally able to guess the password. Once this vigilante hacker had the password, the payload could be changed, and users who unwittingly allow the malware to compromise their machines receive harmless GIFs instead of the actual malware.
Currently, there is a bit of back-and-forth battle with the vigilante hacker replacing malware payloads with GIFs and the hackers restoring their malicious payloads. The actions of the vigilante hacker have reduced Emotet to far less than its previous capability, and the hackers operating the botnet are still humorously fighting for control of their own web shells -- a poetic justice cocktail served deliciously chilled.