TeamHood 
One of the most dangerous email spam botnets Emotet is being uninstalled today from all infected devices with the help of a malware module delivered in January by law enforcement.
The botnet’s takedown is the result of an international law enforcement action that allowed investigators to take control of the Emotet’s servers and disrupt the malware’s operation.
Emotet was used by the TA542 threat group to deploy second-stage malware payloads, including QBot and Trickbot, onto its victims’ compromised computers.
How the malware uninstallation works
After the takedown operation, law enforcement pushed a new configuration to active Emotet infections so that the malware would begin to use command and control servers controlled by the Bundeskriminalamt, Germany’s federal police agency.
Law enforcement then distributed a new Emotet module in the form of a 32-bit EmotetLoader.dll to all infected systems that will automatically uninstall the malware on April 25th, 2021.
Malwarebytes security researchers Jérôme Segura and Hasherezade took a closer look at the uninstaller module delivered by law enforcement-controlled to Emotet servers.
After changing the system clock on a test machine to trigger the module, they found that it only deletes associated Windows services, autorun Registry keys, and then exits the process, leaving everything else on the compromised devices untouched.
“For this type of approach to be successful over time, it will be important to have as many eyes as possible on these updates and, if possible, the law enforcement agencies involved should release these updates to the open internet so analysts can make sure nothing unwanted is being slipped in,” Marcin Kleczynski, CEO of Malwarebytes.
“That all said, we view this specific instance as a unique situation and encourage our industry partners to view this as an isolated event that required a special solution and not as an opportunity to set policy moving forward.”
German federal police agency behind Emotet uninstall
In a January 28th press release, the US Department of Justice (DOJ) also confirmed that the Bundeskriminalamt pushed the uninstaller module to Emotet-infected computers.
“Foreign law enforcement, working in collaboration with the FBI, replaced Emotet malware on servers located in their jurisdiction with a file created by law enforcement,” the DOJ said.
“The law enforcement file does not remediate other malware that was already installed on the infected computer through Emotet; instead, it is designed to prevent additional malware from being installed on the infected computer by untethering the victim computer from the botnet.”
