X
NEXT
Forgot password?

DigitalXRAID

Emotet spotted spreading via brute-forced Wi-Fi Networks effecting LAN’s

Threat Intelligence from DigitalXRAID’s Security Operations Centre analysts:

Emotet is a known highly sophisticated banking trojan that’s primary capabilities are stealing user credentials stored within a browser and eavesdropping on network traffic. The initial delivery method was via malspam (malicious emails) using infected attachments and embedded malicious URLs.

The trojan has evolved and now has worm-like capabilities enabling the spread of the trojan via networks. Researchers at Binary Defense who reported on the technique state this may have been ongoing for two years prior to discovery judging by timestamps within the code. A new threat vector has been introduced, enabling Emotet to spread via wireless networks with weak password configurations.

After the malware is installed and running on an endpoint, it will download two executables. These payloads extract themselves and initiate a call to wlanAPI.dll, which is a legitimate Windows library code to enable a connection to Wi-Fi networks. Adopting this library, the malware enumerates nearby Wi-Fi networks and attempts to join them using brute-forcing techniques to guess passwords.

If successful, the malware will connect to a command-and-control server where it gets initiated to begin the second round of brute-force attacks on Windows endpoints of compromised wireless networks. Specifically, it targets network shares found on the Wi-Fi so it can login and infect them. This scenario enables one user to get infected and without any user interaction the malware can be distributed to other users on their network and surrounding networks. Finally, once attached to a computer it can be instructed by the Command-and-control (C2) to download other malicious files leaving the victim open to a variety of attacks. Figure 1 displays an overview of how Emotet spreads across networks.

The best way to protect against this strain of malware is to keep systems and antivirus up to date alongside enforcing an authentication scheme for Wi-Fi networks or simply ensuring the default admin credentials have been changed to a secure password.

Previous Article

Threat Intelligence: RDP Gateway Remote Code Execution Vulnerabilities

Next Article

Cyber Essentials Changes – IASME Certification Body

Cyber Security Experts

Accredited and regulated, we're in the top 1% of cyber security agencies globally

Crown Commercial Service Supplier Cyber Essentials Plus ISO 27001 BSI ISO 9001 CHECK NCSC Cyber Incident Response CREST

We’re trusted by the UK Government as Crown Commercial Service providers as well as being accredited by two of the leading cyber security governing bodies. Our ISO9001 certification means you can rest assured our processes and approach are market leading.

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]