The Emotet malware payload was hijacked and replaced with animated gifs last week in a surprise turn of events that saw the infamous hacker group scramble to gain back control of their own malicious systems.

Distributed through spam phishing emails, Emotet usually enters a victim’s Windows machine through a malicious link or attachment – such as a Word document that asks the user to enable macros.

This would normally ping a request to one of many compromised websites used by the gang behind Emotet to store and deliver its malware payload.

Except, of course, when someone sneakily changes the payload from being a potentially dangerous trojan to harmless gifs of James Franco.

Cybersecurity researchers had a giggle last week upon the discovery of the dreaded Emotet reduced to memes.

Until two weeks ago, Emotet had been mercifully quiet for most of 2020.

The infamous botnet attacks in waves – sending out mass emails to infect unsuspecting users – causing the Australian Cyber Security Centre warned of an Emotet campaign that was wreaking havoc among Australian businesses last October.

Once the payload lands from its command and control server, attackers often use Emotet to cause more destruction through trojans that sniff for banking credentials, or by dropping ransomware like Ryuk which crippled a Florida council’s network last year causing the IT manager to be fired.

Emotet returns

A new Emotet campaign was launched in July and cybersecurity researchers, like the team behind Cryptolaemus, were quick to track and unpack the surge of malicious emails.

As the wave of spam emails turned up little more than a few harmless gifs, cyber researcher Jospeh Roosen dubbed it an “ongoing battle for the control of the Emotet shells” which drop the malware.

“It will likely result in long-term changes to lock down the shells but short-term it is funny,” he said.

Cybersecurity analyst with Microsoft, Kevin Beaumont, said he was not surprised that Emotet was hacked given the poor security of its own malware delivery system.

“They use largely hacked infrastructure (for example, Wordpress sites) to distribute their wares,” Beaumont said in a blog post.

“Their passwords and techniques for this are known. The net impact is anybody can replace their payloads.”

Unfortunately, Emotet was back under the control of its bad actors by Tuesday morning – once again spreading malware instead of smiles.