Emotet Spreads Via Newly Discovered Wi-Fi Module

Security researchers have detected a new version of infamous malware loader Emotet designed to spread to any nearby Wi-Fi networks protected only by weak passwords.

The worm.exe is the main executable used for this process, according to Binary Defense.

“Upon startup of Worm.exe, the first action it takes is to copy the service.exe string to a variable that will be used during file spreading. Next, it steps into the main loop and immediately begins profiling the wireless network using wlanAPI.dll calls in order to spread to any networks it can access,” the firm explained.

“The use of purely wlanAPI.dll calls for network profiling makes sense; it is one of the libraries used by native Wi-Fi to manage wireless network profiles and wireless network connections.”

The malware will try to brute force its way past the Wi-Fi password, if the network is protected, and then go searching for all non-hidden shares — either brute forcing these users in turn or doing the same for the “administrator” account for the network resource.

Once individual user accounts are accessed, it drops the service.exe binary, which installs the Windows Defender System Service to gain persistence.

Interestingly, the researchers noted that a worm.exe timestamp of 04/16/2018 indicates that the module may have been running unnoticed for two years. This may be because it is used infrequently by attackers, and also because it will not show up if researchers don’t have a Wi-Fi card in their sandbox environment, Binary Defense claimed.

The good news is that more secure network passwords would help to mitigate the threat.

“Detection strategies for this threat include active monitoring of endpoints for new services being installed and investigating suspicious services or any processes running from temporary folders and user profile application data folders,” the vendor concluded.

“Network monitoring is also an effective detection, since the communications are unencrypted and there are recognizable patterns that identify the malware message content.”

Stay up-to-date with the latest information security trends and topics by registering for Infosecurity Magazine’s next Online Summit. Find out more here.

What’s Hot on Infosecurity Magazine?