Over the past decade, Emotet malware has become one of the biggest threats on the Internet, looting people's bank accounts and installing other types of malware. The sophisticated code base and the ever-evolving methods of getting people to click malicious links led to a spam run in September that targeted recipients by name and cited earlier emails that said they have sent or received far. Now Emotet is going another way to spread: use already compromised devices to infect devices connected to nearby Wi-Fi networks.
Last month, Emotet operators were caught with an updated version that uses infected devices to list all nearby Wi-Fi networks. It uses a programming interface called wlanAPI to determine the SSID, signal strength and the use of WPA or other encryption methods for password-protected access. The malware then uses one of two password lists to guess commonly used standard username and password combinations.
After successfully accessing a new Wi-Fi network, the infected device lists all the non-hidden devices that are connected to it. The malware then uses a second password list to try to guess credentials for each user connected to the drive. If no connected users are infected, the malware tries to guess the password for the administrator of the shared resource.
Enlarge / An overview of the newly discovered Wi-Fi spreader from Emotet.
While Emotet is best known for circulating through malicious email runs, it has also been observed to spread worm-like from device to device across infected networks. If the password for a connected device has been successfully guessed, the Emotet malware and possibly other pieces of malware – such as the Ryuk ransomware or the TrickBot malware – will be loaded in exchange for the fees paid by the operators of these campaigns. Emotet is no longer content to only infect devices within the compromised network, but is now using the newly discovered version to jump from network to network.
Beware of weak passwords
"This newly discovered type of loader, used by Emotet, introduces a new threat vector to Emotet's capabilities," said researchers from security firm Binary Defense in a recent post. "Previously, it was thought that Emotet only spreads through malicious spam and infected networks. If the networks use insecure passwords, Emotet can use this type of loader to spread through nearby wireless networks."
The binary defense publication says the new Wi-Fi spreader has a timestamp of April 2018 and was first submitted to the VirusTotal malware search engine a month later. While the module was created almost two years ago, Binary Defense has only seen last month that it is used in the wild.
The newly documented spreader underlines the importance of using strong passwords to restrict access to Wi-Fi networks. Emotet's previously known ability to spread from device to device across a network has already shown the importance of using strong passwords to restrict access to devices connected to local area networks. Passwords should always be generated randomly and never contain less than 11 characters.
One aspect of the new Wi-Fi spreader is not Emotet's usual preference for stealth sophistication. The module uses unencrypted connections to communicate with attackers-controlled servers. This makes it easy to identify patterns in traffic that people can use to identify infections. The malware can also be detected by actively monitoring connected devices for newly installed services and monitoring for processes or services running from temporary files and application folders for user profile applications. The Binary Defense post offers other indicators of compromise.