The vicious Emotet botnet has been torpedoed by an unnamed vigilante hacker, who is exploiting weaknesses in the botnet’s infrastructure to sabotage operations.
The saboteur, who is battling with Emotet operators for control, is replacing malware payloads with animated GIFs, rendering the botnet effectively impotent.
Reports from Cryptolaemus, a group of researchers dedicated to monitoring Emotet, suggest the vigilante is sabotaging roughly a quarter of malicious downloads associated with the botnet.
The Emotet botnet is said to be among the world’s most dangerous malware strains and was revived only last week after a five-month hiatus, although the relaunch has been marred by the ongoing hack.
The attack on Emotet operations began on July 21 after the individual responsible managed to take control of web shells used to control payloads – and has escalated significantly in the six days since.
At first, the mysterious hacker meddled with only a handful of the botnet’s payloads, replacing malware downloads with comedy GIFs of James Franco, Blink 182 and Hackerman. The intrusion has continued to scale, however, and the vigilante has now reduced the botnet’s potency significantly.
“Since [the Emotet administrator] was having technical difficulties today, the hashes are way down and we barely saw much of anything,” wrote Cryptolaemus researcher Joseph Roosen on July 23.
The Emotet operators are reportedly still unable to eject the intruder from their systems, but have become more adept at spotting tampering and fixing malware payloads.
Although the identity of the mysterious saboteur remains unknown, rumors suggest either a rival cybercriminal syndicate or white hat hacker is responsible.