Do you like GIFs? I do, much more than smiley faces.

They express a lot of emotions and can be funny. You can send one and save yourself from typing for minutes. They are handy and popular because of the entertainment value they bring. 

But enough about the obvious.

Now we can also state that GIFs can save lives while boiling the blood in the veins of cybercriminals! There have been reports of an unknown vigilante hacker who decided to serve his own brand of justice, and interestingly, he (or she) has picked up a notable malicious party to mess with.

Emotet ‒ a well-known malware strain spread through phishing emails that use malicious PDF and Word documents.

Don’t Call It a Comeback...

Emotet has been around for years and originally started as a banking trojan. 

Banking trojan is a malware type that steals banking credentials from infected hosts, but you already knew that. 

Emotet was first discovered in 2014 and was reconfigured into a loader in 2016/17. In Emotet’s context, a loader is a malicious element that pulls payloads from hacked WordPress sites on the infected machine after gaining initial access through the aforementioned PDF/Word route. 

Learn to identify phishing emails, stay away from unsolicited attachments and if you can’t because it is your job ‒ never "Enable Editing" to let the macros files download more malware on your machine.

With the public service announcement out of the way, we can turn back to Emotet. 

People behind it were on a hiatus lately, taking five months off. Criminals had to take some rest because Emotet was the most active malware botnet in 2019. Emotet is closely related to big ransomware groups in the Netherlands and Germany and has been particularly active in attacks against Italy and Spain. To put it simply ‒ they are in the criminal business for a long time, and they have been successful so far.

So how does someone disrupt such a notorious group from running a corporate riot?

Let’s Fight Fire With Fire!

The proactive approach beats reactive approach every time, right?

The vigilante in question took that statement literally, deciding to put the sticks in the wheels of the rampant malware string operators. They had a vulnerability in the form of temporary hosting locations and lax digital hygiene.

“Emotet gang uses open-source scripts and also employs the same password for all of its web shells, exposing its infrastructure to easy hijacks if anyone can guess the web shell's password.”  ‒ explains ZDNet, citing Kevin Beaumont’s Twitter post.

This seems to be what the vigilante exploited, allegedly discovering a common password and abusing the weakness. “The Hackerman” then started replacing payloads on the hacked sites with animated GIFs. 

Now when Emotet targets opened infected Office files, the malware was not pulled and, in turn, not executed. 

Somebody Call “The Beastie Boys” Because It’s a Sabotage

The kind of sabotage we can all get behind. It started on July 21, and since then, it cost Emotet masterminds dearly.

If you are interested in what GIFs were used:

• Blink 182 "WTF"
• Appalled James Franco
• Hackerman from Kung Fury

Now Emotet is tasked with a monotonous task of replacing GIFs with their payloads. Maybe they will discover the good use of macros at last? Emotet is currently working at around a quarter of its normal capabilities, but also finds new ways to become more dangerous by pulling past attachments to appear more genuine. Clearly, they will not let this minor setback stop them.

The deal is, tipping the hat to the stranger that prevented it might be a mistake, as it could be a doing of some other criminal gang member. For now, let’s just appreciate the spoiled Emotet return and hope that this hiccup will not anger them to be more sophisticated.