Emotet now hacks nearby Wi-Fi network to spread like a worm

Emotet has evolved multiple times since its initial discovery in 2014 by security researchers. Recently, a sample of Emotet malware was found to have gained the ability to spread itself through insecure Wi-Fi networks that are near an infected device.

Once the malware gains access to the Wi-Fi networks, it will then attempt to infect all the connected devices. It is a tactic that can dramatically escalate Emotet’s spread.

The Wi-Fi spreading binary was only discovered being delivered for the first time on 23 January 2020 by researchers but further analysis suggested that the executable file has a timestamp of 16 April 2018, which hints that the behaviour has been running unnoticed for almost two years.

This Wi-Fi spreading capability further raises the threat level of the already-prevalent Emotet.

Before this discovery, the malware was found to have gained new obfuscation and anti-virus detection capabilities in November 2019. These capabilities enable Emotet to better escape detection. Meanwhile, its authors have also changed their social engineering tactics to keep in line with current events, sending out malicious emails that claimed to be Edward Snowden’s new memoir or with Halloween-themed lures.

What is Emotet?

Emotet is a malware that begin life as a banking trojan in 2014. Its primary goal is to sneak into your computer in order to steal sensitive and private information.

It has gone through a few iterations. Early versions arrived as malicious Javascript files. Subsequently, it evolved to use macro-enabled documents that will retrieve the virus payload from command and control (C&C) servers run by the attackers.

A malware is mostly useless to the attackers if it is detected early or when security researchers can analyse it to determine how it works. In order to prevent that, Emotet comes with a few tricks up its sleeves.

Most notably, it knows if it is running inside a virtual machine (VM) and will lay dormant when that happens. This is because cybersecurity researchers use VMs to observe malware within a safe and controlled space. I

Emotet is also able to use Command and Control (C&C) servers to receive updates, much like the operating system (OS) updates on your PC and could happen seamlessly and without any outward signs. This way, attackers can install updated version of the malware or deliver and install additional malwares on the target. In addition, the C&C servers can also serve as a dumping ground for stolen information such as financial credentials, usernames and password, and email addresses.

How does Emotet spread?

Emotet spreads itself primarily through spam emails (malSpam). It will go through your contact lists and send itself to your friends, family, coworkers and clients. The emails look less like spam because they are coming from your hijacked account, which in turn make the recipients feel safe and more likely to click on the bad URLs in the emails and download infected files.

In order to increase the likelihood recipients click on the bad URLs or open the attachments, the emails may come with contents that contains familiar branding or tempting languages such as ‘Your invoice’ and ‘Payment Details’. In some cases, the content may be about an upcoming shipment from well-known delivery companies.

Furthermore, if there is a connected network present, Emotet attempts to spread through it and gained access to other connected system by using a list of common passwords and brute forcing its way.

For Emotet to spread via Wi-Fi, it first infects the initial system with a self-extracting RAR file containing two binaries (worm.exe and service.exe). Once the RAR file is extracted, worm.exe executes automatically.

The main purpose of worm.exe is to profile wireless networks. Then it would go through each Wi-Fi network to identify their SSID, signal, encryption and authentication methods. After which, the malware will begin to connect to each of the network by brute forcing the passwords.

Once the malware gains access into the network, it will make a request to its command and control (C2) server and establishes a connection to the Wi-Fi network. Next, it will attempt to brute-force the passwords for all users on the newly-infected network. If the brute force is successful and the malware gains access into the device, worm.exe will install the service.exe onto the device.

Finally, once service.exe is installed onto the infected device, it will communicate back to the C2 server and then begin dropping the embedded Emotet executable. The whole spreading and infection process will repeat again in an attempt to infect as many devices as possible.

How do you protect your devices from Emotet?

In order to prevent Emotet from using the Wi-Fi spreading capability and infect connected devices, it is recommended that wireless networks are secured using longer and more complex passwords.

Preventing infection by Emotet is only one part of the solution. Active monitoring of endpoints for new installation of services and subsequent investigation of suspicious services or processes running from temporary folders and application data folders within user profile is equally important. This way, Emotet and its associated malwares can be identify early and be eliminated before they cause any further damage to the rest of the systems.

Furthermore, computers and endpoints should be kept up-to-date with the latest software patches to eliminate as many vulnerabilities in the system as possible. This will prevent the other malwares associated with Emotet infection such as TrickBot from exploiting these said vulnerabilities.

Last but not least, it is important to be aware not to download or open any suspicious attachments or links respectively. This way, Emotet will not be able to gain any initial foothold in the system or network.

Published by

Brandon Lim

I'm a software engineer and writing is my passion.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s