Emotet botnet: Hacker-punisher replaces malicious payloads with GIFs

Emotet botnet Hacker-punishing GIFs

An unknown hacker-punisher sabotages the recently updated Emotet botnet, replacing Emotet payloads with animated GIFs and protecting them victims from infection.

The sabotage began on July 21 and has grown from a simple joke to a serious issue affecting much of Emotet.

What is really going on with the Emotet botnet and how did the hacker-punisher target it?

Emotet botnet works through spam emails, which are supposed to contain business messages. These emails contain either one malicious Office document or one link to a malicious file of the Office, which the users are asked to download it to their computer.

When users open one of these archives and click links in the file or enable the Enable Editing feature to allow macros (automated scripts) to run, automated scripts download Emotet malware and various elements of it from Internet.

By "Internet" we actually mean "infringed WordPress sites", Where the Emotet gang temporarily stores the data of its malware or otherwise malicious payloads.

These temporary hosting sites are also the Achilles heel of the Emotet botnet.

The Emotet gang controls these compromised websites through web shells, a type of malware installed on compromised servers to allow intruders to manipulate the server.

But the Emotet gang does not use the best web shells available on the market. Most of the time uses open-source scripts and has the same password access for all its web shells, exposing its infrastructure to easy violations, if one guesses the web shell password. This weakness was exploited by the hacker-punisher.

Hacker-punisher sabotages it Emotet botnet

Emotet, which is considered the most dangerous malware botnet, had been idle for more than five months, but reappeared last week.

However, a hacker-punisher seems to have discovered the common web shell password and decided to sabotage Emotet's return.

The unknown intruder replaces Emotet payloads on some of the infringed WordPress sites with animated GIFs. This means that when the victims Malware's Office malware is opened, not infected as Emotet does not download or run on their systems.

In recent days, the attacker has replaced Emotet payloads with many popular GIFs.

The first, identified on Tuesday, is this Blink 182 "WTF" GIF.

On the second day, James Franco's GIF was used.

After that, we had the Hackerman GIF.

GIFs are usually obtained from either Imgur or Giphy, two GIF hosting services.

Emotet botnet: Much of the malware is affected

About a quarter of all Emotet daily payload links are replaced with GIFs, causing serious losses to the Emotet gang.

The Emotet gang knows what is going on and apparently stopped operating the botnet on Thursday, in an attempt to remove the attacker from its web shell network.

In some cases, hackers have been able to replace GIF with malicious payload.

The hacker-punisher managed to cause serious damage to Emotet last week.

Security investigators believe the Emotet gang is still trying to gain control of its web shells.

Currently, his identity hacker-punishment is unknown. Some theories say that this is a rival malware gang or a member of the cyber security industry.