11 February 2020

Emotet uses new propagation trick to claim new victims


Emotet uses new propagation trick to claim new victims

Security researchers have spotted a new variant of the Emotet malware that comes with a Wi-Fi Spreader module that allows it to infect new victims connected to nearby insecure wireless networks. The new malware strain analyzed by experts at Binary Defense takes advantage of the wlanAPI interface to discover all Wi-Fi networks in the area, and then attempts to spread to these networks, infecting all devices that it can access in the process.

Once on the network, the malware scans all other computers connected to the same network for any Windows computers that have file sharing enabled. Next, it scans for all user accounts on those devices and attempts to guess the passwords to those accounts as well as the Administrator account. After successfully breaking into an account, the malware copies itself to that computer and installs itself via remote command on the other computer.

The new Wi-Fi Spreader module downloads to the system C:\ProgramData. The downloaded binary contains a self-extracting RAR that has two (service.exe and worm.exe) binaries to spread the infection through the network. Worm.exe is configured as the setup file and is the main executable used for spreading. Based on the executable’s timestamp (04/16/2018) the researchers believe that this Wi-Fi spreading behavior went unnoticed for nearly two years.

"The executable with this timestamp contained a hard-coded IP address of a Command and Control (C2) server that was used by Emotet. This hints that this Wi-Fi spreading behavior has been running unnoticed for close to two years," BinaryDefense noted.

"This may be in part due to how infrequently the binary is dropped. Based on our records, 01/23/2020 was the first time that Binary Defense observed this file being delivered by Emotet, despite having data going back to when Emotet first came back in late August of 2019," the report continued.

Upon startup of worm.exe, the first action it takes is to copy the service.exe string to a variable that will be used during file spreading. Next, it steps into the main loop and immediately begins profiling the wireless network using wlanAPI.dll calls in order to spread to any networks it can access.

Service.exe is another executable installed by worm.exe. The binary is installed as a service called WinDefService and uses port 443 (typically used for Transport Layer Security (TLS) encrypted communications) to establish connection (via unsecured HTTP) to the command and control server.

“With this newly discovered loader-type used by Emotet, a new threat vector is introduced to Emotet’s capabilities. Previously thought to only spread through malspam and infected networks, Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords,” Binary Defense concluded.

More detailed technical analysis of the new Emotet strain, as well as related IoCs can be found in the Binary Defense blog post.

Back to the list

Latest Posts

PayPal customers hit with fraudulent charges via Google Pay

PayPal customers hit with fraudulent charges via Google Pay

It's not clear what vulnerability is being exploited, but the issue may be related to a bug reported to PayPal a year ago.
25 February 2020
Croatia’s largest petrol station chain joins list of victims of ransomware attacks

Croatia’s largest petrol station chain joins list of victims of ransomware attacks

The CLOP ransomware family is suspected to be involved in the attack.
21 February 2020
WordPress ThemeREX plugin flaw is being actively exploited to create rogue admin accounts

WordPress ThemeREX plugin flaw is being actively exploited to create rogue admin accounts

The flaw in the ThemeREX Addons plugin can be used to remotely execute code on websites.
20 February 2020