Attackers are using a new version of Emotet to hack into nearby open Wi-Fi networks to enter devices. By using a brute force loop, the attackers can access unprotected networks. By changing the Emotet malware, it can now more easily target these networks.
If Emotet can enter the network it can then spread onto devices currently connected to the network. Researchers say the new attack method that can make Emotet more dangerous. The malware is already widespread and made a return back in September.
“With this newly discovered loader-type used by Emotet, a new threat vector is introduced to Emotet’s capabilities,” said James Quinn, threat researcher and malware analyst for Binary Defense, in a Friday analysis.
“Previously thought to only spread through malspam and infected networks, Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords.”
The Wi-Fi binary of Emotet was first spotted last month. However, the timestamp for the executable comes from April 2018. This is important because it means bad actors have been using this method for nearly two years.
The new binary attacks a system with a RAR file that can extract its contents automatically. Inside the file are a pair of binaries (worm.exe and service.exe) that can be spread through Wi-Fi. The binaries will also execute automatically on a system.
Attack
When the worm.exe binary executes it will profile the network and look for paths to other networks. If a handle is gained the malware calls a function to enumerate Wi-Fi networks connected to the victim system.
Through brute force looping the malware enters the Wi-Fi connection and attackers access password lists to make a connection. It is worth noting it not always works but the function will simply loop again if it doesn’t.
“With buffers containing either a list of all usernames successfully brute-forced and their passwords, or the administrator account and its password, worm.exe can now begin spreading service.exe to other systems,” said researchers. “Service.exe is the infected payload installed on remote systems by worm.exe. This binary has a PE timestamp of 01/23/2020, which was the date it was first found by Binary Defense.”
“Detection strategies for this threat include active monitoring of endpoints for new services being installed and investigating suspicious services or any processes running from temporary folders and user profile application data folders,” they said. “Network monitoring is also an effective detection, since the communications are unencrypted and there are recognizable patterns that identify the malware message content.”