GIFs instead of malware: unknown hackers sabotage Emotet botnet

He takes control of WordPress sites hijacked by the Emotet gang. They are used to distribute the actual malware. The unknown hacker replaces these with various animated GIF files, which massively disrupts the operation of Emotet.

An unknown hacker is currently partially paralyzing the operation of the recently reactivated Emotet botnet. It replaces the malicious code that is supposed to be distributed via Emotet with an animated GIF file, which prevents victims from being infected with malware.

Hackers (Image: Shutterstock)The attack on the botnet began on July 21, according to Cryptolaemus researchers working on Emotet’s activities. Around a quarter of all malware downloads are now affected by Emotet.

The backers of Emotet use the systems under their control to send phishing emails. They are said to contain corporate communications and are intended to entice users to open attached Word files or to follow embedded links that are used to download a malicious document.

The malicious files usually contain scripts or macros, the execution of which users must confirm. Only then does the actual Emotet malware reach the victim’s system from the Internet. The backers often host their malware on hacked WordPress websites.

This is exactly where the unknown hacker starts with his sabotage action. The Emotet gang controls the hacked pages via a web shell based on open source scripts. In addition, security researcher Kevin Beaumont discovered last year that all Emotet hackers’ web shells use the same password, which favors attacks on the botnet.

This password has now probably been cracked. The saboteur is thus able to control the hacked WordPress pages and replace the malware offered through them with a harmless file – in this case a GIF animation.

According to Cryptolaemus researcher Joseph Roosen, the backers of Emotet are aware of the problem. The botnet was turned off on Thursday, apparently to ban the hacker from the system. Otherwise, it was currently only working with around a quarter of its capacity.

It is not known who is behind the attack on Emotet. Competing cyber criminals or a representative of the cybersecurity industry are considered possible suspects.

To new heights with SkySQL, the ultimate MariaDB cloud

In this webinar we will introduce SkySQL to you, explain the architecture and explain how it differs from other systems Amazon RDS on. You will also get an insight into the product roadmap, a live demo, and how to get SkySQL up and running in minutes.

Leave a Reply

Your email address will not be published. Required fields are marked *