The new tactic used by Emotet allows the malware to infect nearby insecure Wi-Fi networks – and their devices – via brute force loops.
A newly uncovered Emotet malware sample has the ability to spread to insecure Wi-Fi networks that are located nearby to an infected device.
If the malware can spread to these nearby Wi-Fi networks, it then attempts to infect devices connected to them — a tactic that can rapidly escalate Emotet’s spread, said researchers. The new development is particularly dangerous for the already-prevalent Emotet malware, which since its return in September has taken on new evasion and social engineering tactics to steal credentials and spread trojans to victims (like the United Nations) .
“With this newly discovered loader-type used by Emotet, a new threat vector is introduced to Emotet’s capabilities,” said James Quinn, threat researcher and malware analyst for Binary Defense, in a Friday analysis. “Previously thought to only spread through malspam and infected networks, Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords.”
While researchers noticed the Wi-Fi spreading binary being delivered for the first time on Jan. 23, they said that the executable has a timestamp of 4/16/2018, hinting that the Wi-Fi spreading behavior has been running unnoticed for almost two years. This may be in part due to how infrequently the binary is dropped, researchers said, as this is the first time they’ve seen it despite tracking Emotet since its return in 2019.
The Emotet sample first infects the initial system with a self-extracting RAR file, containing two binaries (worm.exe and service.exe) used for the Wi-Fi spreading. After the RAR file unpacks itself, Worm.exe executes automatically.
The worm.exe binary immediately begins profiling wireless networks in order to attempt to spread to other Wi-Fi networks. Emotet makes use of the wlanAPI interface to do this. wlanAPI is one of the libraries used by the native Wi-Fi application programming interface (API) to manage wireless network profiles and wireless network connections.
Once a Wi-Fi handle has been obtained, the malware then calls WlanEnumInterfaces, a function that enumerates all Wi-Fi networks currently available on the victims’ system. The function returns the enumerated wireless networks in a series of structures that contain all information related to them (including their SSID, signal, encryption and network authentication method).
Once the data for each network has been obtained, the malware moves into the connection with “brute-forcing loops.” Attackers use a password obtained from “internal password lists” (it’s not clear how this internal password list has been obtained) to attempt to make the connection. If the connection is not successful, the function loops and moves to the next password on the password list.
If the password is correct and the connection is successful, the malware sleeps for 14 seconds before sending an HTTP POST to its command-and-control (C2) server on port 8080, and establishes the connection to the Wi-Fi network.
Then, the binary begins enumerating and attempting to brute-force passwords for all users (including any Administrator accounts) on the newly-infected network. If any of these brute forces are successful, worm.exe then installs the other binary, service.exe, onto the infected devices. To gain persistence on the system, the binary is installed under the guise of “Windows Defender System Service” (WinDefService).
“With buffers containing either a list of all usernames successfully brute-forced and their passwords, or the administrator account and its password, worm.exe can now begin spreading service.exe to other systems,” said researchers. “Service.exe is the infected payload installed on remote systems by worm.exe. This binary has a PE timestamp of 01/23/2020, which was the date it was first found by Binary Defense.”
After service.exe is installed and communicates back to the C2, it begins dropping the embedded Emotet executable. In this manner, the malware attempts to infect as many devices as possible.
Protecting Against Emotet
Emotet, which started as a banking trojan in 2014 and has continually evolved to become a full-service threat-delivery mechanism, can install a collection of malware on victim machines, including information stealers, email harvesters, self-propagation mechanisms and ransomware.
Researchers, for their part, recommend blocking this new Emotet technique with the use of strong passwords to secure wireless networks.
“Detection strategies for this threat include active monitoring of endpoints for new services being installed and investigating suspicious services or any processes running from temporary folders and user profile application data folders,” they said. “Network monitoring is also an effective detection, since the communications are unencrypted and there are recognizable patterns that identify the malware message content.”