This malware spreads over WiFi networks without user interaction

Since its emergence, Emotet has been one of the most active malware families among cybercriminals, who constantly develop new versions of this malware. One of Emotet’s most recent samples allows hackers to spread over insecure WiFi networks nearby an infected device, as mentioned by network security specialists.

In case you find a nearby WiFi network, Emotet can infect any connected device, meaning great attack potential for malware developers. This new version of Emotet includes new social engineering evasion tactics to perform malicious activities like credential theft, Trojan deployment, among others.

Although the first records of this wireless malware propagation binary occurred in early 2020, network security specialists mention that the executable has a timestamp of April 16, 2018, meaning that this attack vector remained unnoticed for almost two years.

This new version of Emotet infects the target device with a self-extracting RAR file containing two binaries (worm.exe and service.exe) used for propagation via WiFi. After decompression of the RAR file, the worm.exe binary runs automatically. After execution, the binary begins to scan for other WiFi networks for propagation. Emotet uses the wlanAPI interface, used to manage wireless network profiles and network connections.

When obtaining a WiFi identifier, the malware calls WlanEnumInterfaces (function to enumarate all available networks on the victim’s system). This function returns the wireless networks listed in a series of structures that contains all their details (SSID, signal, encryption, authentication method, etc.).

When data collection for each localized network is complete, Emotet deploys a ‘brute force loop’ to access the attacked networks; if it fails to connect to a target network, the function is repeated on the next network. Network security experts have not determined how hackers obtained the password list, although it may be the product of a data breach.

In case of finding the correct password and realizing the connection, the malware stays asleep for about 15 seconds before sending an HTTP POST to the attacker’s C&C and establishing the connection to the WiFi network. Finally the built-in Emotet executable is delivered, so that the malware begins to infect all possible devices.

Network security experts at the International Institute of Cyber Security (IICS) mention that one of the main ways to protect against potential Emotet infections is the establishment of strong passwords, since the list of passwords used by hackers should contain, for the most part, factory passwords for WiFi devices.