Emotet Malware is Now Capable of Hacking Wi-Fi Networks

Emotet Spreads by Hacking Wi-Fi Networks

Many people don't think much of it, but the correct configuration of a Wi-Fi network is incredibly important. It could open the gateway to all your personal devices, and its security must be treated with utmost respect for many different reasons. Recently, James Quinn, a malware analyst for Binary Defense, found yet another one.

He discovered it when he was analyzing a new sample of the Emotet malware, which he stumbled upon in late-January. Emotet is arguably the most prevalent malware threat of the last few years. It's been around since 2014, and although it can be used as a standalone banking trojan, it has frequently been employed as a dropper for other malware strains. So far, it's been distributed mainly with the help of large-scale malspam campaigns, and its operators have used clever social engineering techniques to infect as many people as possible. When James Quinn took a closer look at the new version, however, he saw that Emotet's authors had included a previously unreported module for spreading across devices and networks.

Emotet jumps Wi-Fi networks to maximize the number of victims

Emotet's post-infection operation in the version Quinn examined is dependent on a couple of executable files placed in a self-extracting RAR archive. The first one, service.exe, is responsible for extracting the Emotet binary and executing it. As its name might suggest, the second one, worm.exe, is tasked with placing service.exe on as many computers as possible.

When he reverse-engineered worm.exe, James Quinn saw that the file was communicating heavily with wlanAPI.dll – a library that allows Windows computers to connect to wireless networks. Using API calls, Emotet's spreader component collects a list of all available Wi-Fi networks and makes a detailed profile of each and every one of them. After it establishes a network's SSID, signal strength, and security protocol, the malware tries to connect to it. If the wireless network isn't protected by a password, Emotet goes straight in. If the network is locked, it will attempt to brute-force its way in using a hard-coded list of weak and easy-to-guess passwords.

All successful attacks on neighboring wireless networks are reported to the Command and Control (C&C) server, after which the worm continues with the infection routine. All the non-hidden shares on a compromised network are enumerated, and, using a second hard-coded list of passwords, worm.exe tries to compromise all of them. If this doesn't work, the malware attempts to brute-force the administrator account for the network resource.

After successfully guessing a password, Emotet renames service.exe to my.exe and places it on the compromised computer's C:\ drive. A newly created service ensures that the file is executed.

The "new" worm component is allegedly two years old

James Quinn was a bit surprised to see that according to the file's timestamp, the worm component was created in April 2018. After some more research, he realized that a copy of worm.exe was first submitted to VirusTotal in May 2018, which showed that it's not really new.

Apparently, Emotet has had the ability to jump between wireless networks for close to two years now, but for some reason, the security experts have only just discovered it. This could be because the malware's operators haven't used the functionality so far, but it could also be due to the fact that the sandboxes and virtual machines researchers use to examine malware rarely come with wireless connectivity.

Whatever the case, there's little doubt in anyone's mind that the spreader component is powerful and can cause a lot of damage. With it, your neighbor's negligence could lead to the theft of your personal data, so make sure that your home network is protected by a strong password.

February 11, 2020

Leave a Reply