Emotet, the notorious malware behind a number of spam campaigns and ransomware attacks, has found a new attack method: using already infected devices to identify new victims that are connected to nearby Wi-Fi networks.

The new Emotet sample uses a "Wi-Fi spreader" module to scan nearby Wi-Fi networks, and then attempts to infect devices that are connected to them. The Wi-Fi spreader has been running "unnoticed" for close to two years, when it was detected for the first time last month.

How Does The Wi-Fi Spreader Work?

It extracts the SSID, signal strength, the authentication method (WPA, WPA2, or WEP), and mode of encryption used to secure passwords. Then it attempts to connect to the networks by performing a brute-force attack using passwords obtained from one of two internal password lists. If the connection fails, it moves to the next password in the list.

If the malware succeeds, it connects and compromises the system on new network. It then carries out a second round of brute-force attacks to guess the usernames and passwords of all users connected to the new network.

After successfully brute-forcing users and their passwords, the malware moves to the next phase by installing a malware — called "service.exe" — on the newly infected systems. To cloak its behavior, the malware is installed as a Windows Defender System Service (WinDefService), so Microsoft’s built-in Anti-Malware software is actually protecting the malware.

Emotet: From Banking Trojan to Malware Loader

Emotet, which was first identified in 2014, has morphed from its original roots as a banking Trojan to a "Swiss Army knife" that can serve as a downloader, information stealer, and spambot depending on how it's deployed.

Over the years, it has also been an effective delivery mechanism for ransomware. Lake City Florida’s IT network was crippled last June after an employee inadvertently opened a suspicious email that downloaded the Emotet Trojan, which in turn downloaded the TrickBot trojan and Ryuk ransomware.

With this newly discovered loader-type used by Emotet, a new threat method is introduced to Emotet's capabilities. Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords.

Original Post - February 12, 2020 By Ravie Lakshmanan