Emotet trojan now spreads through WiFi connections


One of the top malware threats is Emotet trojan due to the quantity and risk. Earlier Emotet enters a company when a careless employee open infected Office documents received through an email.

After getting infected the Emotet trojan downloads various modules in order to spread laterally inside a network.

Over the past years, this “lateral movement” was limited, and Emotet was normally found in computers and servers that are found on the same network only.

Those companies with proper network segmentation were able to limit the reach of an Emotet attack to a few departments or just a few computers.

Now according to the security researchers at BinaryDefense, an Emotet module under certain circumstances can jump the WiFi gap to nearby networks.

The new Emotet named “WiFi spreader” module does not guarantee an 100% infection rate, because it depends on users having weak passwords for their WiFi networks. But it opens a new attack vector inside infected companies that the Emotet gang can exploit to increase their reach.

So, the computers infected with Emotet are danger not only for the infected company’s own internal network, but also to the networks of any nearby companies that are in the original victim’s physical presence.

If anyone near you gets infected with Emotet and you are using a simple password for your WiFi, then there is a high chance of getting infected with Emotet.

The WiFi spreader’s modus operandi is as follows

  • Emotet infects a host
  • Emotet downloads and runs the WiFi spreader module
  • WiFi spreader module lists all Wi-Fi devices enabled on the host (usually the WLAN NIC)
  • Module extracts list of all locally reachable WiFi networks
  • WiFi spreader performs a brute-force attack on each WiFi network by using two internal lists of easy-to-guess passwords.
  • If the brute-force attack succeeds, the Emotet WiFi spreader now has direct access to another network, but no foothold on any servers or workstations on that network.
  • The WiFi spreader moves into a second brute-force attack attempting to guess the usernames and passwords of servers and computers connected to this WiFi network.
  • If this becomes success, Emotet gains a foothold on a second network, and the Emotet infection cycle begins again with Emotet jumping the gap between two networks via a WiFi connection.

BinaryDefense states that the WiFi spreader does not work on Windows XP SP2 and Windows XP SP3, as the module uses some newer functions.

They found that it was developed almost two years ago, but was not deployed or detected until recently.

The new Emotet module is big news, on a number of levels — such as WiFi security, shared working spaces, and incident response (IR) investigations.

WiFi security:

System administrators use WiFi networks to segment parts of their networks into different sections keeping internet connectivity available for all employees.

The companies must not use simple passwords inside their headquarters anymore. The Emotet trojan can easily move to nearby networks if those networks don’t use a complex password.

Shared working spaces:

The companies working in large office buildings, where they can reach other WiFi networks, are now at risk. Example, if company A gets infected with Emotet and it is in the range of company B’s WiFi network, now company B is at risk of getting infected with Emotet.

IR investigations:

Having Emotet on your network via WiFi will complicate many incident response investigations.

In order to defend against Emotet’s new WiFi module, BinaryDefense warns companies to take precautions by securing WiFi networks with strong passwords.

Priyanka R
Cyber Security Enthusiast, Security Blogger, Technical Editor, Author at Cyber Safe News

    Microsoft’s February 2020 Patch Tuesday fixes 99 security bugs

    Previous article

    Maastricht University paid 30 bitcoins to hackers

    Next article

    You may also like

    More in Malware


    Leave a reply

    Your email address will not be published. Required fields are marked *