Emotet, a kind of malware originally designed as a banking Trojan, can steal data such as user credentials stored on the browser, install other types of malware and ransomware, and form botnets. It scans the networks to determine SSIDs, encryption type, and authentication methods. The newly discovered Emotet sample powers a “Wi-Fi spreader” module to scan unsecured Wi-Fi networks, and then attempts to infect devices that are connected to them by taking advantage of weak passwords and other security flaws. “With this newly discovered loader-type used by Emotet, a new threat vector is introduced to Emotet’s capabilities. Previously thought to only spread through malicious spam and infected networks, Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords,” wrote James Quinn, a Threat Researcher and Malware Analyst for Binary Defense, in a blog post.
The researchers first noticed the Wi-Fi spreading binary being delivered by Emotet on January 23, 2020. The executable has a timestamp of 4/16/2018, which was first submitted to the VirusTotal database on 05/04/2018. This indicates that spreading Wi-Fi behavior has been running “unnoticed” for close to two years. This may be in part due to how infrequently the binary is dropped, despite having data going back to when Emotet first came back in late August of 2019. How does Emotet work? “We retrieved this malware sample from an Emotet bot used for research and reverse-engineered the malware code using IDA Pro to determine how it operates,” Randy Pargman, Senior Director Of Threat Hunting And Counterintelligence at Binary Defense, told Help Net Security. Once the malware infects a computer that has Wi-Fi ability, it then uses the wlanAPI interface to find any Wi-Fi networks in the nearby area. “Even if those networks are protected with a password required to join, the malware tries a list of possible passwords and if one of the guessed passwords works to connect to the Wi-Fi network, it will join the infected computer to that network,” Pargman explained. “Once it is on the network, the malware scans all other computers connected to the same network for any Windows computers that have file sharing enabled. It then retrieves the list of all user accounts on those computers and attempts to guess the passwords to those accounts as well as the Administrator account. If any of the guessed passwords are correct, the malware copies itself to that computer and installs itself by running a remote command on the other computer.” Ultimately, it reports back to the command and control server to confirm the installation. Like this, the malware attempts to infect as many devices as possible. Quinn warns companies to use strong passwords to secure wireless networks so that malware like Emotet cannot gain unauthorized access to the network. “Detection strategies for this threat include active monitoring of endpoints for new services being installed and investigating suspicious services or any processes running from temporary folders and user profile application data folders,” Quinn notes. “Network monitoring is also an effective detection since the communications are unencrypted and there are recognizable patterns that identify the malware message content.” For more information regarding the findings, you can read the detailed documentation here.