Emotet Actively Using Upgraded WiFi Spreader to Infect Victims

Emotet’s authors have upgraded the malware's Wi-Fi spreader by making it a fully-fledged module and adding new functionality as shown by samples recently spotted in the wild.

We previously reported that Emotet is now capable of spreading to new victims connected to nearby insecure wireless networks using a Wi-Fi worm module.

The recent updates to the module come after the same stand-alone spreader version was used by the Emotet gang for at least two years without no noticeable changes as researchers at Binary Defense show in a report shared with BleepingComputer earlier this week.

Also, the upgraded Wi-Fi worm module is already being used in the wild according to researchers at Binary Defense who spotted the newly upgraded spreader.

A researcher found evidence of Emotet Wi-Fi spreader being used to spread throughout one of his client's networks as Binary Defense threat researcher and Cryptolaemus contributor James Quinn told BleepingComputer.

New Emotet Wi-Fi spreader functionality

Besides its conversion from a stand-alone to a malware module, the Emotet developers also updated it with more verbose debugging and made changes that, in theory, could allow the Wi-Fi spreader to deliver other payloads besides the loader — which was the only known payload deliverer by the previous spreader version.

The spreader is now also capable of brute-forcing ADMIN$ shares on targeted networks when it fails brute-forcing a device's C$ share.

"Additionally, before the spreader attempts to brute-force C$/ADMIN$, it attempts to download, from a hardcoded IP, the service binary that it installs remotely," Binary Defense explains. "If this download fails, it sends the debug string “error downloading file” before quitting."

The malware's authors have also tweaked the service.exe binary used to drop Emotet on infected devices, now downloading the loader from the command-and-control (C&C) server and saving it on the compromised computer as firefox.exe, thus making sure that the latest loader version is being deployed.

This method is also used by Emotet developers "to avoid detections that may flag off the Emotet loader, but not the service executable."

Binary Defense's research team also observed while analyzing the new Emotet samples that the binary used to deliver the loader and the spreader both featured the loader's hardcoded download URL within their strings, pointing at a previous Emotet version where their functionality was combined within a single binary.

The Emotet authors have also slightly altered the spreader's logging capabilities allowing its operators "to get step-by-step debugging logs from infected victims through the use of a new communication protocol."

This new comms protocol uses two PHP POST arguments delivering info on the bots' MachineGUID and debug strings generated by the malware during runtime.

The Emotet's Wi-Fi spreader module updates are a sign that the malware's authors are now also focusing on adding new infection vectors for their malware loader besides the usual malicious documents delivered to targets via massive spam campaigns.

With the new focus on the spreader, Emotet's authors are on a straight path to developing an even more capable and dangerous Wi-Fi worm module that will most likely be spotted more and more by both researchers and victims while actively in the wild.

Emotet infections can lead to serious consequences

Emotet was originally a banking trojan first spotted during 2014 and it has evolved into a malware loader used to install various other malware families including the Trickbot banking Trojan (a known vector for delivering Ryuk ransomware payloads).

Recently, the malware was delivered during late January in a malspam campaign that used the recent Coronavirus global health crisis as bait.

Also in January, the Cybersecurity and Infrastructure Security Agency (CISA) warned of increased activity related to targeted Emotet attacks.

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) also issued a warning on the dangers posed by Emotet attacks, saying that the malware "provides an attacker with a foothold in a network from which additional attacks can be performed, often leading to further compromise through the deployment of ransomware."

According to CISA, Emotet infections can lead to very serious outcomes if not immediately addressed including:

ACSC provides technical advice on Emotet with best practices to defend against infections, just as CISA does in the Emotet Malware alert issued earlier this year.

Emotet ranked first in a 'Top 10 most prevalent threats' ranking from interactive malware analysis platform Any.Run in December 2019, head and shoulders above the next malware in the top, the Agent Tesla info-stealer, with triple the number of sample uploads submitted for analysis.

More details on Emotet's upgraded Wi-Fi spreader, malware sample hashes, and YARA and SURICATA rules for threat detection are available in the Binary Defense report.

Comments are closed.