Emotet Malware Adopts New Wi-Fi Hacking Methodology
Emotet, an infamous trojan responsible for numerous botnet-driven spam campaigns and ransomware attacks, has evolved its attack techniques by exploiting already infected devices to identify new victims connected to nearby Wi-Fi networks. Researchers at Binary Defense have identified a new strain of Emotet that employs a “Wi-Fi spreader” module, which scans for and attempts to infect devices linked to these networks.
The Wi-Fi spreader feature, timestamped April 16, 2018, has remained undetected until recently, marking approximately two years of unnoticed operation. This new capability significantly heightens the threat landscape; networks in close physical proximity to a compromised host are now at risk of infection.
The methodology of the Wi-Fi spreader is rooted in leveraging compromised hosts to collect details on nearby Wi-Fi networks. Utilizing the wlanAPI interface, the malware extracts information such as SSIDs, signal strength, authentication methods (WPA, WPA2, or WEP), and the encryption modes securing passwords. Upon acquiring this data, Emotet attempts to connect to these networks through brute-force password attacks, utilizing two internal password lists whose origins remain unclear.
Successful connections enable the malware to enumerate all non-hidden shares on the network. It ramps up its attack by conducting a second round of brute-force attempts to guess the usernames and passwords of users connected to these resources. Once it successfully compromises these accounts, the malware proceeds to install a malicious payload named “service.exe” on the newly infected devices. To obscure its activities, this payload is disguised as a Windows Defender System Service (WinDefService).
The implications of Emotet’s ability to leap between Wi-Fi networks underscore the necessity for robust security protocols. Companies must enforce strong password policies to thwart unauthorized access, while also adopting vigilant measures such as monitoring processes operating from temporary folders and user profile application data folders.
Since its inception in 2014, Emotet has transformed from its initial role as a banking trojan into a versatile threat actor known for its capabilities as a downloader, information stealer, and spambot, depending on its deployment. The malware has also proven effective as a delivery mechanism for ransomware infections. Notably, an incident last June saw Lake City’s IT infrastructure crippled after an employee inadvertently opened a phishing email, leading to an Emotet infection that subsequently deployed the TrickBot trojan and Ryuk ransomware.
In late 2019, Emotet’s presence diminished, yet it resurged in September through geographically-targeted phishing efforts featuring local-language lures, often tied to financial themes. These campaigns frequently employed malicious document attachments, which exploited user behavior to facilitate Emotet’s re-integration into the threat landscape.
According to Binary Defense researchers, this newly identified loader-type broadens Emotet’s arsenal and introduces a new vector for propagation across local wireless networks lacking proper security measures. The evolution of Emotet necessitates a proactive response from organizations concerned about cybersecurity risks, as the malware correlates with various tactics outlined in the MITRE ATT&CK framework, including initial access, persistence, and credential dumping.
As Emotet continues to innovate its methods, business owners must remain vigilant and proactive in their cybersecurity strategies to mitigate the risks associated with such advanced threats.
