A new variant of the notorious Emotet Windows malware is able to spread wirelessly by brute-forcing Wi-Fi network passwords and scanning for shared drives to infect.
The wormification of the trojan attack was detected by researchers at Binary Defense, who this month reported that the technique may have been going on undetected for as long as two years before its discovery in January, judging by timestamps in the code.
"With this newly discovered loader-type used by Emotet, a new threat vector is introduced to Emotet’s capabilities," Binary Defense explained in its deep-dive examination of the software nasty.
"Previously thought to only spread through malspam and infected networks, Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords."
In this case, the Binary Defense crew found that after the malware was installed and running on a PC, it would download and load two new executables. These payloads extract themselves and call wlanAPI.dll, a legitimate Windows code library to connect to Wi-Fi networks. Using this library, the malware enumerates nearby Wi-Fi networks, and tries to join them. If need be, it attempts to brute-force its way onto them by guessing their passwords.
If that works, the malware will connect to a command-and-control server where it gets the go-ahead to begin a second round of brute-force attacks on Windows PCs on the compromised wireless networks. Specifically, it tries to guess the user and administrator passwords of any network shares found on the Wi-Fi, so that it can login and infect them. Thus, you now have a scenario where one user can get infected and, without any notification or interaction, distribute the malware to everyone else on their network or surrounding wireless networks.
Once on a computer, Emotet can be instructed by its masters to pull in other nasties, such as ransomware or trojans that hijack victims' online bank accounts.
Insult to injury: Malware menace soaks water-logged utility ravaged by Hurricane FlorenceREAD MORE
While the technique was only spotted in late January, Binary Defense noted that timestamps on the executables as well as VirusTotal signatures on the sample date back to May 2018.
"This hints that this Wi-Fi spreading behavior has been running unnoticed for close to two years." the researchers reported. "This may be in part due to how infrequently the binary is dropped."
Another possibility, the team says, is that the behavior simply didn't get picked up by bug-hunters who were studying the software nasty in virtual machines. These sandboxes are unlikely to be configured with emulated Wi-Fi cards, so the wlanAPI calls fail and so the trojan appears to do nothing. This could be a deliberate evasive measure, or just a happy accident for the malware's masterminds.
Either way, the best way to protect against the malware is to keep all system and antivirus software updated, and use authentication schemes that cannot be trivially brute-forced. ®