WiFi: A New Way to Spread Emotet Malware

The developers of the Emotet Trojan have created a new way to spread it to more victims, security firm Binary Defense reports. Attackers are using unsecured WiFi networks as a way to deliver the malware to more devices.

See Also: Three Proven Methods for Implementing a Continual Threat Hunting Program

Since Emotet resurged in late 2019, its creators have relied on a variety of methods to help spread their malware to more victims. Most of these methods, involve phishing emails with attached Microsoft documents that contain malicious macros that help deliver the malware to a targeted device (see: Fake Coronavirus Messages Spreading Emotet Infections).

The malware can also spread from one device to another by creating a botnet that helps deliver additional spam and emails, according to the Binary Defense researchers.

But now, the researchers have found that some versions of Emotet can be spread across an unsecured WiFi network by taking advantage of weak passwords and other security flaws. While these types of infections are rare, it’s important to keep an eye on how the Trojan’s creators are attempting new methods, James Quinn, threat researcher and malware analyst for Binary Defense, notes in the report.

“With this newly discovered loader-type used by Emotet, a new threat vector is introduced to Emotet’s capabilities,” Quinn writes. “Previously thought to only spread through malspam and infected networks, Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords.”

WiFi Connection

Some Emotet samples in campaigns leveraging WiFi that researchers examined in January contained a timestamp dated April 16, 2018, which suggests that the capability to spread the malware through poorly secured WiFi networks may have gone unnoticed until now, according to the report.

In these campaigns, once attackers infect a device with the Trojan, it starts to download what the researchers call a WiFi spreader module, which contains two binaries, according to the report. One of these binaries, called worm.exe, begins to list all the WiFi-enabled devices that are connected with the infected device.

The binary also extracts a list of reachable wireless networks using the wlanAPI interface found in later versions of Microsoft Windows, according to the report. This interface helps manage WiFi connections and network profiles in some versions of Windows.

Once the list of all WiFi networks and devices is gathered, the binary then begins to use a brute force attack to guess the usernames and passwords of the wireless networks, looking for one it can crack, according to the report. The Emotet malware has an internal list of passwords that it uses as part of this brute force attack, the report adds.

If successful, the malware “sleeps” for about 14 seconds and connects back to the command-and-control server to receive further instructions, according to the report.

Once the connection is established, the worm.exe binary then begins a second series of brute force attacks, the researchers found. It attempts to guess passwords for devices, such as PCs and servers, which are connect to the infected WiFi network in an attempt to gain a further foothold, according to the report. If successful, a second binary, called service.exe, is installed and calls back to the command-and-control server, and then Emotet is installed on the newly accessed device, the report notes.

Password Protection

IT and security teams should take the time to create stronger passwords for WiFi networks to ensure that these brute force attacks are less likely to be successful, the researchers recommend.

“Detection strategies for this threat include active monitoring of endpoints for new services being installed and investigating suspicious services or any processes running from temporary folders and user profile application data folders,” Quinn notes. “Network monitoring is also an effective detection, since the communications are unencrypted and there are recognizable patterns that identify the malware message content.”