Emotet now using Wi-Fi to spread malware

News by Rene Millman

Hackers modified Emotet Trojan to spread through unprotected wireless networks

Hackers have modified the Emotet Trojan to spread through unprotected wireless networks. The malware can now hop onto other Wi-Fi networks and compromise computers on them, says research carried out by Binary Defense.

This new loader type takes advantage of the wlanAPI interface to enumerate all Wi-Fi networks in the area and spreads to these networks, infecting all devices that it can access in the process.

The malware does this by using brute-force techniques to access Wi-Fi networks that are password protected. Once connected, the worm then looks for other non-hidden shares on the network.

“Once shares have been discovered, the malware attempts to connect to the IPC$ share for the network resources. Using IPC$, it attempts to enumerate all users connected to the network resource. Using the second password list contained in the malware, the malware attempts to then brute-force its way into all users enumerated, saving each successful attempt to two buffers: one for the username and one for the password,” said the report.

Once accessed, the worm drops its infected payload services.exe onto a victim computer and installs a service called “Windows Defender System Service". It then starts this service, executing service.exe as my.exe on a remote system.

The worm called worm.exe has a timestamp of 04/16/2018 and was first submitted to VirusTotal on 05/04/2018. “This hints that this Wi-Fi spreading behavior has been running unnoticed for close to two years,” said the report.

“This may be in part due to how infrequently the binary is dropped. Based on our records, 01/23/2020 was the first time that Binary Defense observed this file being delivered by Emotet, despite having data going back to when Emotet first came back in late August of 2019.”

This is a particularly concerning development in Emotet, as it hops through wifi, allowing attackers to compromise networks they don't even initially have access to, KnowBe4 security awareness advocate Javvad Malik told SC Media UK. 

“Organisations should take measures to secure their WiFi networks with the same rigour and level as any other network. Ensuring encryption is enabled and strong passwords / passphrases are chosen. Organisations should also consider network monitoring to detect anomalous traffic and have response procedures in place,” he said.

A good gateway defence mitigates this attack to a great extent, Barracuda Networks senior security researcher at Jonathan Tanner told SC Media UK. 

“Advanced inbound and outbound security techniques should be deployed, including malware detection, spam filters, firewalls, and sandboxing form the basic layer of defence. Secondly, resilience, backup helps recover from data deletion, and continuity ensures that critical emails can get sent during a potential outage,” he said.

“Thirdly, fraud prevention stops attacks  that can bypass the email gateway. Artificial intelligence should be used for spear-phishing protection, and DMARC validation detects and prevents email and domain spoofing.” 

Finally comes human firewall, the top layer of email defense for every business and the most critical one, Tanner said.

“Make phishing simulation and training part of security-awareness training. Ensure end users are aware of new types of attacks, show them how to identify potential threats and transform them from a security liability into a line of defense by testing the effectiveness of in-the-moment training and evaluating the users most vulnerable to attacks.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews