Security researchers at Binary Defense recently discovered an Emotet Trojan sample which features a Wi-Fi worm module that allows the malware to spread over insecure wireless networks to new victims.
This new strain utilizes wlanAPI.dll calls to discover wireless networks around a computer that is already infected with Emotet. By using the compromised machine's Wi-Fi connection, the malware tries to brute-force its way in to other password protected networks nearby.
After the compromised device has been successfully connected to another wireless network, the Emotet Trojan begins looking for other Windows devices with non-hidden shares. The malware then scans for all accounts on these devices and once again brute-forces the password for the Administrator account and all other users on the system.
- Banks being targeted with major malware campaign
- Coronavirus malware infects thousands of devices worldwide
- United Nations hit by major phishing attack
Finally the worm gains persistence on the system by dropping a malicious payload in the form of a service.exe binary which installs a new service called “Windows Defender System Service”.
Undiscovered Wi-Fi spreader
In a blog post detailing their findings, the researchers at Binary Defense explained that Emotet's ability to spread over Wi-Fi has gone undetected for almost two years, saying:
“Worm.exe is the main executable used for spreading. This executable has a timestamp of 04/16/2018 and was first submitted to VirusTotal on 05/04/2018. The executable with this timestamp contained a hard-coded IP address of a Command and Control (C2) server that was used by Emotet. This hints that this Wi-Fi spreading behavior has been running unnoticed for close to two years.”
The reason that Wi-Fi spreading behavior went unnoticed for so long is due to how rarely the binary is dropped. According to Binary Defense, January 23rd 2020 marked the first time the company had observed the file being delivered by Emotet despite the fact that it was included in the malware since 2018.
Another reason it went undiscovered could be that the module did not display spreading behavior on the virtual machines and automated sandboxes without Wi-Fi cards that researchers use to dissect new strains of malware.
Emotet already posed a serious risk before but now that the malware can spread over Wi-Fi networks with simple passwords, expect organizations to take additional precautions to prevent falling victim to it.
- Also check out the best antivirus software