Security researchers have spotted a new variant of the Emotet malware that comes with a Wi-Fi Spreader module that allows it to infect new victims connected to nearby insecure wireless networks. The new malware strain analyzed by experts at Binary Defense takes advantage of the wlanAPI interface to discover all Wi-Fi networks in the area, and then attempts to spread to these networks, infecting all devices that it can access in the process.
Once on the network, the malware scans all other computers connected to the same network for any Windows computers that have file sharing enabled. Next, it scans for all user accounts on those devices and attempts to guess the passwords to those accounts as well as the Administrator account. After successfully breaking into an account, the malware copies itself to that computer and installs itself via remote command on the other computer.
The new Wi-Fi Spreader module downloads to the system C:\ProgramData. The downloaded binary contains a self-extracting RAR that has two (service.exe and worm.exe) binaries to spread the infection through the network. Worm.exe is configured as the setup file and is the main executable used for spreading. Based on the executable’s timestamp (04/16/2018) the researchers believe that this Wi-Fi spreading behavior went unnoticed for nearly two years.
"The executable with this timestamp contained a hard-coded IP address of a Command and Control (C2) server that was used by Emotet. This hints that this Wi-Fi spreading behavior has been running unnoticed for close to two years," BinaryDefense noted.
"This may be in part due to how infrequently the binary is dropped. Based on our records, 01/23/2020 was the first time that Binary Defense observed this file being delivered by Emotet, despite having data going back to when Emotet first came back in late August of 2019," the report continued.
Upon startup of worm.exe, the first action it takes is to copy the service.exe string to a variable that will be used during file spreading. Next, it steps into the main loop and immediately begins profiling the wireless network using wlanAPI.dll calls in order to spread to any networks it can access.
Service.exe is another executable installed by worm.exe. The binary is installed as a service called WinDefService and uses port 443 (typically used for Transport Layer Security (TLS) encrypted communications) to establish connection (via unsecured HTTP) to the command and control server.
“With this newly discovered loader-type used by Emotet, a new threat vector is introduced to Emotet’s capabilities. Previously thought to only spread through malspam and infected networks, Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords,” Binary Defense concluded.
More detailed technical analysis of the new Emotet strain, as well as related IoCs can be found in the Binary Defense blog post.