The nasty Emotet Trojan is evolving at an alarming rate! This infamous malware created a great chaos in the cyber-world last week with its malicious Emotet spam campaign. It used spam e-mail campaigns to propagate its infection & deceived US Tax payers by appending infected W-9 Tax documents with e-mails. A mere click on this attachment would install Emotet on the device.
Following is the sample malicious e-mail containing trojanized W-9 Tax form :
Once again, the developers of this devastating malware have geared themselves up to employ a new spread vector, increase the number of victims & generate more illicit revenue.
According to the cyber-security analysts at Binary Defense, it is now employing a new strategy to spread via insecure network located near already infected devices. It leverages a new Wifi Spreader Module, employs it on infected devices & hacks Wi-Fi networks it is connected to. Once Wifi network is hacked, it identifies new victims connected on the network & infects them, posing a great threat to Web Security & data privacy.
Let us understand how this new spread technique of Emotet virus works:
The new Emotet Trojan Wi-Fi Spreader Module
Emotet Malware is known for carrying out a myriad of botnet-driven spam campaigns & Ransomware attacks since its emergence in the year 2014.
The return of Trojan.emotet in September 2019 took on new evasion & social engineering tactics, which were used to steal login credentials & sensitive information of the users. It was also used to spread Trojans to the US taxpayers via Emotet Spam Campaign.
And now, the developers of this devious banking Trojan have released an updated version, which uses a new wifi spreading module. This module scans Wi-Fi networks of the already-infected systems and then tries to infect other devices connected to the Wifi networks nearby.
Binary Defense, a cyber-security firm has confirmed that the Wifi Spreading Module of Emotet has been running under the radar since April 2018, until it was detected last month for the first time.
Insight into the Working of Emotet Wifi Spreader Module
The brand-new strain of the devious Emotet malware takes the advantage of the already-infected devices to locate all the nearby available Wi-Fi Networks.
This new malware attack campaign uses wlanAPI interface to discover the list of WiFi Networks near the Wi-Fi-enabled compromised host. It also extracts other network information such as SSID, signal strength, authentication method & mode of encryption used to protect the passwords.
When found, it tries connecting to the networks by attempting Brute Force attack if networks are password protected. It uses the passwords obtained from one of the internal passwords list. It is still vague how Emotet Trojan obtained the list of internal passwords.
According to the analysis, it uses next password on the list if the connection using the former password fails.
When the infected device is successfully connected to another wireless network, the Emotet worm module begins to identify all non-hidden shares. It then initiates the second set of Brute Force Attack to break into admin account and all the other users connected to the compromised Wi-Fi network.
After successful brute-forcing, the malicious Wi-Fi Spreading module moves onto the next phase, which includes
1). dropping malign payload in the form of the service.exe, &
2). disguises as a service named “Windows Defender System Service” (WinDefService) & gains persistence on infected system.
This malicious service not only communicates with the Command & Control server of Emotet Trojan, but also executes Emotet binary on the infected devices.
Emotet Trojan possesses the surprising quality of proliferating from one Wi-Fi network to the other. This has made organizations from around the world secure their networks with stronger passwords to avoid any potential intrusion & unauthorized access.
In addition to that, organizations & individuals are advised to patch security flaws & set-up 2-factor authentication module to strengthen the security of their networks.
While these security measures may not act like a magical spell to stop the intrusion, it can greatly minimize the success rate of Emotet Trojan Attack.