Emotet spotted spreading via brute-forced Wi-Fi Networks effecting LAN’s
Threat Intelligence from DigitalXRAID’s Security Operations Centre analysts:
Emotet is a known highly sophisticated banking trojan that’s primary capabilities are stealing user credentials stored within a browser and eavesdropping on network traffic. The initial delivery method was via malspam (malicious emails) using infected attachments and embedded malicious URLs.
The trojan has evolved and now has worm-like capabilities enabling the spread of the trojan via networks. Researchers at Binary Defense who reported on the technique state this may have been ongoing for two years prior to discovery judging by timestamps within the code. A new threat vector has been introduced, enabling Emotet to spread via wireless networks with weak password configurations.
After the malware is installed and running on an endpoint, it will download two executables. These payloads extract themselves and initiate a call to wlanAPI.dll, which is a legitimate Windows library code to enable a connection to Wi-Fi networks. Adopting this library, the malware enumerates nearby Wi-Fi networks and attempts to join them using brute-forcing techniques to guess passwords.
If successful, the malware will connect to a command-and-control server where it gets initiated to begin the second round of brute-force attacks on Windows endpoints of compromised wireless networks. Specifically, it targets network shares found on the Wi-Fi so it can login and infect them. This scenario enables one user to get infected and without any user interaction the malware can be distributed to other users on their network and surrounding networks. Finally, once attached to a computer it can be instructed by the Command-and-control (C2) to download other malicious files leaving the victim open to a variety of attacks. Figure 1 displays an overview of how Emotet spreads across networks.
The best way to protect against this strain of malware is to keep systems and antivirus up to date alongside enforcing an authentication scheme for Wi-Fi networks or simply ensuring the default admin credentials have been changed to a secure password.