The Emotet banking trojan now features a Wi-Fi spreader module that lets it exploit Wi-Fi connections to infect new networks. Here’s how organizations can defend against the new threat.
Emotet, the infamous banking trojan that, over the last five years, gained new capabilities like launching brute-force attacks, stealing email credentials, executing malicious payload, and acting as a mothership of other potent malware types, now poses a serious threat to organizations thanks to a new module introduced by its creators.
Earlier this month, security research firm Binary Defense revealed it identified a new module inside the Emotet trojan’s code that allows it to jump across Wi-Fi networks to infect machines connected to hijacked networks. The new module, dubbed the Wi-Fi spreader module by Binary Defense, is downloaded, extracted and executed by Emotet as soon as the malware infects a new host.
How Does the WI-Fi Spreader Module Work?
When executed, the module creates a list of all Wi-Fi networks in the vicinity of the infected host by taking advantage of the wlanAPI.dll interface which is also used by Native Wi-Fi to manage wireless network profiles and connections. Once this is done, the module proceeds to obtain additional information about each Wi-Fi network in the list such as the Wi-Fi device’s GUID and description, SSID, signal type, security type, encryption type, and the network authentication method.
Once the information is gathered, the module proceeds to launch brute-force attacks to log in to targeted Wi-Fi networks by using passwords from two internal password lists. If the attempt succeeds, the module waits for 14 seconds, and then sends an HTTP POST to its Command and Control (C2) server which mentions that a connection has been established with a wireless network.
The worm.exe file within the Emotet trojan, which initially unpacks and executes the Wi-Fi spreader module, then creates a list of users connected to the freshly hijacked Wi-Fi network and launches brute-force attacks to hijack these user accounts.
Learn more: Top 6 Botnet Threats in the United StatesOpens a new window
How Does the New Module Bypass Organizations’ Traditional Defense Mechanisms?
For many years, organizations have been told by their security teams and security services providers that network segmentation or network segregation can stop malware trojans or ransomware from spreading across networks and trap them within networks that are isolated from the Internet. Thanks to such advice, many organizations have created micro-networks that are isolated from each other and separately protected through firewalls, VLANs etc.
However, the newfound ability of Emotet to target multiple networks within the same vicinity by exploiting poorly secured Wi-Fi connections threatens to bypass these formidable defenses with relative ease. “Previously thought to only spread through malspam and infected networks, Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords,†says Binary Defense’ threat researcher and malware analyst James Quinn.
Learn more: Threat Hunting: How to Actively Monitor Your SystemOpens a new window
How Can Organizations Negate the WI-Fi Spreader Module’s Threat?
Quinn says organizations can stop the Emotet banking trojan from jumping across networks within the same vicinity by “using strong passwordsOpens a new window to secure wireless networks†as the module uses common and easily guessable passwords to infiltrate Wi-Fi devices.
“Detection strategies for this threat include active monitoring of endpoints for new services being installed and investigating suspicious services or any processes running from temporary folders and user profile application data folders. Network monitoring is also an effective detection, since the communications are unencrypted and there are recognizable patterns that identify the malware message content,†he said in closing.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!