Emotet trojan evolves to spread via WiFi connections

Security firm discovers what appears to be one of Emotet's most dangerous modules.

router-wifi.jpg

Without a doubt, the Emotet trojan is today's top malware threat, in both terms of quantity (due to its huge spam campaigns) and risk (due to its known history of allowing ransomware gangs to buy themselves access to infected networks).

Historically, Emotet has worked by getting a foothold inside a company after careless employees open boobytrapped Office documents they receive via email.

Once they get infected, the Emotet trojan downloads various modules in order to spread laterally inside a network.

For the past years, this "lateral movement" has been limited, with Emotet being confined to computers and servers that are found on the same network, only.

Companies that implemented proper network segmentation would often be able to limit the reach of an Emotet attack to a few departments or just a few computers.

Emotet gets a WiFi spreader

However, in a blog post published last week, security researchers at BinaryDefense have made a pretty important discovery that's surely to give many system administrators headaches for the foreseeable future -- namely an Emotet module that under certain circumstances can jump the WiFi gap to nearby networks.

The new Emotet "WiFi spreader" module (as it was called) does not guarantee an 100% infection rate, as it relies on users utilizing weak passwords for their WiFi networks, however, it opens a new attack vector inside infected companies that the Emotet gang can exploit to maximize their reach.

This means that computers infected with Emotet are now a danger not only for the infected company's own internal network, but also to the networks of any nearby companies that are in the original victim's physical proxmity.

If someone close to you got infected with Emotet and you're using a dumb password for your WiFi, than there could be a chance you could get an unwanted present from your neighbor in the form of an Emotet infection.

Before moving forward with some interesting observations regarding this module's importance and what it means to companies, we'll summarize the WiFi spreader's modus operandi:

  • Emotet infects a host
  • Emotet downloads and runs the WiFi spreader module
  • WiFi spreader module lists all Wi-Fi devices enabled on the host (usually the WLAN NIC)
  • Module extracts list of all locally reachable WiFi networks
  • WiFi spreader performs a brute-force attack on each WiFi network by using two internal lists of easy-to-guess passwords.
  • If the brute-force attack succeeds, the Emotet WiFi spreader now has direct access to another network, but no foothold on any servers or workstations on that network.
  • The WiFi spreader moves into a second brute-force attack attempting to guess the usernames and passwords of servers and computers connected to this WiFi network.
  • If this second brute-force attack succeeds, Emotet gains a foothold on a second network, and the Emotet infection cycle begins from scratch, with Emotet successfully jumping the gap between two networks via a WiFi connection.
emotet-wifispreader.png

Image: BinaryDefense

According to BinaryDefense, the WiFi spreader doesn't work on Windows XP SP2 and Windows XP SP3, primarily due to the module using some newer functions.

BinaryDefense says the WiFi spreader has a timestamp of April 16, 2018, suggesting it was developed almost two years ago, but was never widely deployed or detected until recently, when they first picked it up.

Considerations for companies

The discovery of this new Emotet module is big news, on a number of levels -- such as WiFi security, shared working spaces, and incident response (IR) investigations.

WiFi security:

System administrators often use WiFi networks to segment parts of their networks into different sections, but still keep internet connectivity available for all employees.

This new Emotet module means companies can't run WiFi networks with simplistic passwords inside their headquarters anymore. If the Emotet gang decides to deploy its WiFi spreader module, they can jump to nearby networks if those networks don't use a complex password.

Shared working spaces:

Not all companies can afford their own headquarters. Companies working in large office buildings, where they are in the reach of other WiFi networks, are now at risk.

If company A gets infected with Emotet and the infected computer is in the range of company B's WiFi network, company B is now at risk of getting infected with Emotet, even if their employees never got infected with Emotet directly.

IR investigations:

Having Emotet dropped on your network via WiFi willl most likely complicate many incident response investigations. WiFi is not a traditional attack vector for Emotet, nor for many other malware strains.

In many cases, companies use simplistic passwords for internal WiFi networks because they know only employees will be in reach to access them. Companies may not be aware that they need to use more complex WiFi hotspot passwords to prevent future Emotet intrusions.


Although a BinaryDefense resercher was not available for comment, the security vendor was pretty clear in its report last week when it said that Emotet got a major boost in attack capabilities.

BinaryDefense warns companies to take precautions by securing WiFi networks with strong passwords, as this is the easiest way to defend against Emotet's new WiFi module.