Emotet Hacks Nearby Wi-Fi Networks to Spread to New Victims

A recently spotted Emotet Trojan sample features a Wi-Fi worm module that allows the malware to spread to new victims connected to nearby insecure wireless networks according to researchers at Binary Defense.

This newly discovered Emotet strain starts the spreading process by using wlanAPI.dll calls to discover wireless networks around an already infected Wi-Fi-enabled computer and attempting to brute-force its way in if they are password protected.

Once it successfully connects the compromised device to another wireless network, the worm will start finding other Windows devices with non-hidden shares as Binary Defense threat researcher and Cryptolaemus contributor James Quinn explains.

Next, it scans for all accounts on those devices and tries to brute-force the password for the Administrator account and all the other users it can retrieve.

After successfully breaking into an account, the worm drops a malicious payload in the form of the service.exe binary onto the victim's computer and installs a new service named "Windows Defender System Service" to gain persistence on the system.

Wi-Fi spreader flew under the radar

One of the binaries Emotet uses to spread to infect other devices over Wi-Fi is worm.exe, with the sample analyzed by Binary Defense having a 04/16/2018 timestamp​​​​.

"The executable with this timestamp contained a hard-coded IP address of a Command and Control (C2) server that was used by Emotet," BinaryDefense explains. "This hints that this Wi-Fi spreading behavior has been running unnoticed for close to two years."

"This may be in part due to how infrequently the binary is dropped. Based on our records, 01/23/2020 was the first time that Binary Defense observed this file being delivered by Emotet, despite having data going back to when Emotet first came back in late August of 2019."

This Emotet worm module not being discovered during the last two years despite researchers dissecting new strains on a daily basis might also be explained by the module not displaying spreading behavior on VMs/automated sandboxes without a Wi-Fi card.

The other executable the Trojan uses for Wi-Fi spreading is service.exe, a binary we already mentioned above which also features a peculiarity of its own: while it uses the Transport Layer Security (TLS) port 443 for command and control (C2) server communications, it will actually connect over unencrypted HTTP.

"Previously thought to only spread through malspam and infected networks, Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords," Binary Defense concludes.

"Binary Defense’s analysts recommend using strong passwords to secure wireless networks so that malware like Emotet cannot gain unauthorized access to the network."

Emotet is a huge threat

Computers infected with Emotet are used by its operators to spread to other victims over Wi-Fi, to deliver malicious spam messages to other targets, and to drop other malware strains including the Trickbot info stealer Trojan known for also delivering ransomware payloads.

The Emotet Trojan ranked first in a 'Top 10 most prevalent threats' drawn up by interactive malware analysis platform Any.Run in late December, with triple the number of uploads for analysis when compared to the next malware family in their top, the Agent Tesla info-stealer.

The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on increased activity related to targeted Emotet attacks roughly two weeks ago, advising admins and users to review the Emotet Malware alert for guidance.

If you want to find out more about the latest active Emotet campaigns you should follow the Cryptolaemus group, a collective of security researchers who are tracking this malware's activity.