European law enforcement agencies automatically wiped the Emotet malware from infected systems across the world as part of a mass sanitization operation. Earlier law enforcement and judicial authorities worldwide conducted a joint operation, named Operation Ladybird, which disrupted the EMOTET botnet and taken down 700 servers
The authorities started pushing out a 32-bit payload named “EmotetLoader.dll” to clean up the infected systems, the process was set to trigger itself automatically. Shortly after the Emotet takedown, a researcher observed a new payload pushed onto infected machines with a code to remove the malware at a specific date.
Recent spam campaigns used messages with malicious Word documents, or links to them, pretending to be an invoice, shipping information, COVID-19 information, resumes, financial documents, or scanned documents.
The infamous banking trojan is also used to deliver other malicious code, such as Trickbot and QBot trojan or ransomware such as Conti (TrickBot) or ProLock (QBot).
The 32 bit DLL (EmotetLoader.dll) has 3 exports, which all lead to the same function that is used to cleanup the infected processes. The procedure loops on checking if the deadline has passed, in this case, the uninstall routine is immediately invoked.
If the deadline already passed, the uninstall routine is called immediately.
The uninstallation routine deletes the service associated with Emotet malware, deletes the autorun Registry key, attempts (but fails) to move the file to %temp% and then terminates the process. All C2C are offline after the operation.