Warning: This destructive botnet can spread to nearby WiFi networks
The botnet, called Emotet, keeps getting more sophisticated and its reach continues to evolveUpdated: Feb 12, 2020 14:03 IST
Over the past few years, a malware called Emotet has emerged as the top internet treat. Emotet pillages people’s bank accounts and installs other types of malware. Emotet’s code base is very sophisticated and it keeps evolving regularly to trick targets into clicking on malicious links.
For example, in September last year, Emotet began a spam run that addressed recipients by name and quoted past emails they had sent or received. This allowed the spam threat to spread widely. Now, Emotet has evolved a step further and is using already compromised devices to infect other devices that are connected to nearby WiFi networks.
Here’s how it works
Emotet operators were caught using an updated version of the malware that uses infected devices to “enumerate all nearby WiFi networks”, ArsTechnica reported. The malware was using a programming interface called wlanAPI to “profile the SSID, signal strength and use of WPA or other encryption methods for password-protecting access”. Then, the malware goes on to use one of the two password lists to “guess commonly used default username and password combinations”.
Once the infected device gains access to a new WiFi network it enumerates all non-hidden devices connected to that WiFi network. Then it uses the second password list to try and guess credentials for each of the users connected to the drive.
If none of the connected users are infected, the malware tries to “guess the password for the administrator of the shared resource”.
Emotet is primarily known for circulating through malicious emails, but with this new version it is spreading like a ‘virus’ from device to device over infected networks. If it manages to successfully guess the password of a connected device, it loads the Emotet malware along with other pieces of malware, like Ryuk ransomware or the TrickBot, in “exchange for fees paid by operators of those campaigns”.
Emotet has moved beyond infecting devices inside a compromised network to moving from network to network.
Change those weak passwords
“With this newly discovered loader-type used by Emotet, a new threat vector is introduced to Emotet’s capabilities. Previously thought to only spread through malspam and infected networks, Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords,”researchers from security firm Binary Defense wrote in a recently published post.
The Binary Defense post said “the new Wi-Fi spreader has a timestamp of April 2018 and was first submitted to the VirusTotal malware search engine a month later”. While the module was created almost two years ago, Binary Defense had not observed it being used in the wild until last month.
This new spreader shows how vital it is to have strong passwords that restrict access to WiFi networks. “Emotet’s previously known ability to spread from device to device within a network already underscored the importance of using strong passwords to restrict access to devices connected to local networks,” ArcTechnia reported.
To make sure it is hard to crack, passwords should always be randomly generated and should never be fewer than 11 characters.
One of the aspects of the new WiFi spreader is different from Emotet’s usual penchant for stealth of sophistication. “The module uses unencrypted connections to communicate with attacker-controlled servers. That makes it easy to detect patterns in traffic that people can use to detect infections,” ArsTechnica reports.
The malware can also be detected through “active monitoring of connected devices for new services being installed and watching for any processes or services running from temporary files and user profile application data folders”.