{Warning} Emotet Malware Now Hacks Nearby Wi-Fi Networks to Infect New Victims!

[TheBeardedBaby]

A waring to everyone since this attack has begun in April 2018 and for two years is not surprising if you are also affected.

Emotet, the notorious trojan behind a number of botnet-driven spam campaigns and ransomware attacks, has found a new attack vector: using already infected devices to identify new victims that are connected to nearby Wi-Fi networks.

According to researchers at Binary Defense, the newly discovered Emotet sample levera

ges a "Wi-Fi spreader" module to scan Wi-Fi networks, and then attempts to infect devices that are connected to them.

The cybersecurity firm said the Wi-Fi spreader has a timestamp of April 16, 2018, indicating the spreading behavior has been running "unnoticed" for close to two years until it was detected for the first time last month.

Based on what I read in the below quiote, the most affected are the Windows users as the bot is installed as Windows Defender System Service. I presume tha those with other operating systems have to chainge at least their WI-Fi passwords.

After having successfully brute-forced users and their passwords, the worm moves to the next phase by installing malicious payloads — called "service.exe" — on the newly infected remote systems. To cloak its behavior, the payload is installed as a Windows Defender System Service (WinDefService).

The priciple of work of Emotet >



The source > https://thehackernews.com/2020/02/emotet-malware-wifi-hacking.html

[turkandjaydee]

After having successfully brute-forced users and their passwords

What username and password are meant here?

the payload is installed as a Windows Defender System Service (WinDefService).

Does this payload show up as 1 of the running process in the processes tab in Task Manager? And how much the percentage of CPU it will use?

[TheBeardedBaby]

Here is the full quote of the explonantion of how it works.

The updated version of the malware works by leveraging an already compromised host to list all the nearby Wi-Fi networks. To do so, it makes use of the wlanAPI interface to extract the SSID, signal strength, the authentication method (WPA, WPA2, or WEP), and mode of encryption used to secure passwords.

On obtaining the information for each network this way, the worm attempts to connect to the networks by performing a brute-force attack using passwords obtained from one of two internal password lists. Provided the connection fails, it moves to the next password in the list. It's not immediately clear how this list of passwords was put together.

But if the operation succeeds, the malware connects the compromised system on the newly-accessed network and begins enumerating all non-hidden shares. It then carries out a second round of brute-force attack to guess the usernames and passwords of all users connected to the network resource.

After having successfully brute-forced users and their passwords, the worm moves to the next phase by installing malicious payloads — called "service.exe" — on the newly infected remote systems. To cloak its behavior, the payload is installed as a Windows Defender System Service (WinDefService).

In addition to communicating with a command-and-control (C2) server, the service acts as a dropper and executes the Emotet binary on the infected host.

The fact that Emotet can jump from one Wi-Fi network to the other puts onus on companies to secure their networks with strong passwords to prevent unauthorized access. The malware can also be detected by actively monitoring processes running from temporary folders and user profile application data folders.

I wnated to avoid quoting the whole article in the OP but seems that it's better that way.
The source is the samne as in the OP.

[LeGaulois]

Not a lot different than the tools available to do the same without flagging the wireless intrusion detection systems using Fragmentation, Hirte, or ARP request.
It would be interesting to know what list did they try and how it has been compiled. If it's PW coming from websites it isn't harmful, even if it uses a dictionary method
Even if the user changes it, WPA and WPA2 require at least 10 characters, to avoid (or at least to make it harder) setting stupid passwords like 1234.