From the past few days, unknown hackers are disrupting the operations of recently restored Emotet botnet by replacing Emotet payloads with animated GIFs, effectively preventing victims from getting infected.
From the past few days, unknown hackers are disrupting the operations of recently restored Emotet botnet by replacing Emotet payloads with animated GIFs, effectively preventing victims from getting infected.
The hackers targeted the Emotet’s distribution channel organized of compromised websites used to host the malicious payloads distributed by Emotet operators.
When the victims open up the malicious files, instead of obtaining the Emotet malware payload from compromised sites, it will receive the GIFs images and memes.
Experts noticed that the intruders replaced the Emotet payloads with multiple popular GIFs like James Franco and Hackerman meme.
What is Emotet, and how does it operate?
Emotet is sophisticated and multi-component machinery. The botnet operates by spamming victims with emails containing a malicious Office document, or link to a malicious office record.
- When the victims of these campaigns open these attachments by pressing the links embedded in the files or enable the “Enable Editing” feature, then the embedded macros are executed. The automated scripts download the Emotet malware.
Currently, a quarter of all daily Emotet payload links are replaced with GIFs resulting in operational losses to the Emotet gang.
The Emotet operators deploy open-source scripts using all the same passwords and would allow threat actors to guess or change the password and take over the infrastructure.
“From tracking, the replacements generally happen within a few minutes of Emotet updating their botnet. Around a quarter of all malware is getting replaced,” reads a post written by Beaumont. “This suggests a few possibilities:
- Emotet themselves are doing this.
- Other threat actors are doing this to sabotage Emotet.
- Security researchers are doing it.”
According to Cryptolaemus member Joseph Roosen, the Emotnet gang is conscious of the attack against its infrastructure, and on Thursday it has shut down the botnet to exterminate the attacker from its web shells.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: “BlueLeaks” Exposes Data of 200 US police Departments and Exposed Online