Emotet has found a new offensive vector: the use of already compromised computers to classify victims linked to nearby Wi-Fi networks behind a range of botnet-driven spam campaigns and ransomware attacks. The newly discovered Emotet sample uses a "wireless internet adapter" module to scan wireless networks and then attempts to infect their connected devices, according to researchers at Binary Defense. The cybersecurity company has reported the Wi-Fi spreader has an April 16, 2018 time-stamp which shows that the spreading activity has been "unnoticed" for nearly two years before first detected last month.
The creation marked an improvement in the capacities of Emotet, as networks close to the original victim are now vulnerable to infection.
How do I work with Emotet's Wi-Fi spreader?
The updated malware version can be used to list all the nearby Wi-Fi networks using an already compromised host. To do this, the interface is used for the SSID extraction, signal control, WPA, or WEP authentication and encryption mode for secure passwords. This uses the WLANAPI-interface. If the information for each network is so obtained, the worm attempts, using passwords from one of the two internal passwordlists, to log on to the networks by brute force attack. If the connection fails, the following password in the list will be transferred. How this list of passwords was compiled is not immediately clear.
But if it is active, the malware connects the computer that has been compromised to the newly accessed network and lists all non-hidden shares. It then performs a second round of brute force attacks to devise the user names and passwords of all network resource connected users. The worm travels to the next level after successful brute-forced users and passwords, by installing the newly infected remote systems using malicious payloads, known as "service.exe." The Windows Defender System Service (WinDefService) is built to protect its operations.
The software serves as a dropper and runs the Emotet binary on the infected host as well as communicating with the command-and-control(C2) server. The fact that Emotet can switch from one Wi-Fi to another allows companies to protect their networks with strong passwords so that unlicensed access is not enabled. The malware can also be detected by continuously monitoring processes from temporary files and device data folders in the user profile.
Emotet: From Trojan Banking to malware pump.
The Emotet, described for the first time as a banking trojan in 2014, was converted by the "Swiss Army Knife" from its original origins into a "Swiss Army Knife."Over the years, the delivery mechanism for ransomware has also become popular. The IT network at Lake City was crippled last June following an unwelcome email from an employee who was installing the Trojan Emotet, which was downloading the trojan TrickBot and Ryuk ransomware.
While Emotet-driven campaigns largely disappeared over the summer of 2019, in September it was made a comeback with "geologically-oriented mailings, mostly financially thematic, and the use of malicious document attachments or similar documents, which installed Emotet when users allowed macros." "If networks use unsafe passwords, Emotet can use this loader form to propagate via near wireless networks."
0
11
Written by
Secure
Secure
4 years ago
Written by
Secure
Secure
4 years ago