Emotet Now Hacks Nearby Wi-Fi Networks to Spread Like a Worm

Emotet Wi-Fi

The new tactic used by Emotet allows the malware to infect nearby insecure Wi-Fi networks – and their devices – via brute force loops.

A newly uncovered Emotet malware sample has the ability to spread to  insecure Wi-Fi networks that are located nearby to an infected device.

If the malware can spread to these nearby Wi-Fi networks, it then attempts to infect devices connected to them — a tactic that can rapidly escalate Emotet’s spread, said researchers. The new development is particularly dangerous for the already-prevalent Emotet malware, which since its return in September has taken on new evasion and social engineering tactics to steal credentials and spread trojans to victims (like the United Nations) .

“With this newly discovered loader-type used by Emotet, a new threat vector is introduced to Emotet’s capabilities,” said James Quinn, threat researcher and malware analyst for Binary Defense, in a Friday analysis. “Previously thought to only spread through malspam and infected networks, Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords.”

While researchers noticed the Wi-Fi spreading binary being delivered for the first time on Jan. 23, they said that the executable has a timestamp of 4/16/2018, hinting that the Wi-Fi spreading behavior has been running unnoticed for almost two years. This may be in part due to how infrequently the binary is dropped, researchers said, as this is the first time they’ve seen it despite tracking Emotet since its return in 2019.

The Emotet sample first infects the initial system with a self-extracting RAR file, containing two binaries (worm.exe and service.exe) used for the Wi-Fi spreading. After the RAR file unpacks itself, Worm.exe executes automatically.

The worm.exe binary immediately begins profiling wireless networks in order to attempt to spread to other Wi-Fi networks. Emotet makes use of the wlanAPI interface to do this. wlanAPI is one of the libraries used by the native Wi-Fi application programming interface (API) to manage wireless network profiles and wireless network connections.

Once a Wi-Fi handle has been obtained, the malware then calls WlanEnumInterfaces, a function that enumerates all Wi-Fi networks currently available on the victims’ system. The function returns the enumerated wireless networks in a series of structures that contain all information related to them (including their SSID, signal, encryption and network authentication method).

Once the data for each network has been obtained, the malware moves into the connection with “brute-forcing loops.” Attackers use a password obtained from “internal password lists” (it’s not clear how this internal password list has been obtained) to attempt to make the connection. If the connection is not successful, the function loops and moves to the next password on the password list.

If the password is correct and the connection is successful, the malware sleeps for 14 seconds before sending an HTTP POST to its command-and-control (C2) server on port 8080, and establishes the connection to the Wi-Fi network.

Then, the binary begins enumerating and attempting to brute-force passwords for all users (including any Administrator accounts) on the newly-infected network. If any of these brute forces are successful, worm.exe then installs the other binary, service.exe, onto the infected devices. To gain persistence on the system, the binary is installed under the guise of “Windows Defender System Service” (WinDefService).

“With buffers containing either a list of all usernames successfully brute-forced and their passwords, or the administrator account and its password, worm.exe can now begin spreading service.exe to other systems,” said researchers. “Service.exe is the infected payload installed on remote systems by worm.exe. This binary has a PE timestamp of 01/23/2020, which was the date it was first found by Binary Defense.”

After service.exe is installed and communicates back to the C2, it begins dropping the embedded Emotet executable. In this manner, the malware attempts to infect as many devices as possible.

Emotet, which started as a banking trojan in 2014 and has continually evolved to become a full-service threat-delivery mechanism, can install a collection of malware on victim machines, including information stealers, email harvesters, self-propagation mechanisms and ransomware.

Researchers, for their part, recommend blocking this new Emotet technique with the use of strong passwords to secure wireless networks.

“Detection strategies for this threat include active monitoring of endpoints for new services being installed and investigating suspicious services or any processes running from temporary folders and user profile application data folders,” they said. “Network monitoring is also an effective detection, since the communications are unencrypted and there are recognizable patterns that identify the malware message content.”

Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.

Suggested articles

Discussion

  • Umesh on

    Nice
  • Filippo Giovanni REALE on

    How ca I stop this happening on my home network??
    • Lindsey O'Donnell on

      Hi! Researchers recommend blocking this new Emotet technique with the use of strong passwords to secure wireless networks.
  • Marc Balardelle on

    Hello! If Emotet is using a list of passwords, doesn't that make it a dictionary attack rather than brute-force? I have seen the brute-force term used on a few web sites including MalwareBytes', and considering the risks involved this distinction is minimal in regards to the urgency of the situation.
    • Lindsey O'Donnell on

      Hi Marc - good thought. I'm circling back now with the researchers to clarify and I will keep you updated accordingly.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.