Emotet keeps evolving: trojan can spread by hacking nearby Wi-Fi connections

New day – new Emotet feature: compromised systems allow the trojan to spread using Wi-Fi connections

Emotet malware delivered by hacking wi-fi networks

Emotet malware delivered by hacking wi-fi networks

Last month ended with news about the campaign, during which Emotet was distributed using Coronavirus spam emails.[1] This week, the new Binary Defense report revealed that Emotet relies on an original method of distribution – Wi-Fi spreader.[2] Trojan has a new module that scans internet networks and allows the malware to detect new victims that are connected to the same Wi-Fi networks as the already infected device.[3] 

According to researchers, this behavior was unnoticed for a few years because the spreader had a timestamp of 2018. The activity got discovered this month for the first time and revealed that Emotet might have additional capabilities. Highly sophisticated malware typically behaves as a loader of other malware and delivers custom modules or plugins suited for particular stealing or infection tasks.

This newly discovered, but not that new module, takes advantage of the wlanAPI interface and locates tall WI-Fi networks in the area. This is how malware can spread to those systems and affect all devices it can access at the time. This technique relies on users that use weak passwords for their Wi-Fi networks, so Emotet developers can maximize their reach.

Emoter Wi-Fi spreader functionality

Wi-Fi spreader allows malicious actors to use infected devices to deliver malware in the network and on any device connected to the system.

  • Emotet firstly infects the host;
  • downloads and runs the Wifi spreader module;
  • all devices enabled on the host gets listed;
  • a list of reachable Wi-Fi networks also gets extracted;
  • brute-force attack helps to guess passwords and get on the network;
  • spreader launches another brute-force attack and gains a foothold on a second network;
  • direct Emotet Trojan infection can happen;
  • Emotet can, at this point, jump the gap between two networks using the Wi-Fi connection.

According to the analysis, once the worm lands on the system successfully and the network is identified, malicious activities stop for 14 seconds to avoid early suspicions and only then spreads the Emotet malware. During this time, all needed username and password combinations get collected and added to the malicious database storing all the data useful in future attacks.

Emotet might have been sneaking around Wi-Fi networks undetected since 2018 

Binary Defense report states that the worm.exe, file that is used for spreading the threat via such Wi-Fi connection campaigns, has a particular timestamp of 04/16/2018:

This hints that this Wi-Fi spreading behavior has been running unnoticed for close to two years. This may be in part due to how infrequently the binary is dropped.

The first time the Emotet sample was revealed was in 2014.[4] It started as a banking trojan, and later one evolved when it started to serve as a downloader, stealer, and spambot, depending on particular campaigns. In addition, victims suffered ransomware attacks due to emails infected with Emotet trojan.[5] It was, allegedly not active for a good amount of summer of 2019. Unfortunately, the malware made a comeback in September the same year.

New Emotet feature means that companies can’t run Wi-Fi networks with simple passwords anymore. Malware spreader module can jump t nearby networks and get on systems of huge targets. Researchers warn companies to take precautions by securing Wi-Fi networks using strong passwords.