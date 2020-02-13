Credit: CC0 Public Domain

Emotet has evolved. And that is not good. The worm is catching security watchers’ attention this month as an exploit of Wi-Fi networks. It bounces. It is spreading. The triggers are insecure passwords on routers and Windows PCs.

In particular, according to its discoverers, it is a “new type of loader that uses the wlanAPI interface to list all the Wi-Fi networks in the region, and then tries to spread to those networks and infect all devices process that he can access on the internet. “

Paul Wagenseil, a senior editor who deals with security Tom’s leaderwas one of several authors who followed this “newly found variant of the dreaded Emotet Trojan”.

Why did Wagenseil describe it as feared? “Emotet is an all-rounder of malware that started out as a banking trojan in 2014,” he wrote, “but later added the ability to steal personal information, install ransomware, build botnets, and download other pieces of malware.” , ”

A security company Binary Defense identified the variant. According to Binary Defense, “this newly discovered type of loader used by Emotet introduces a new threat vector to the functions of Emotet. In the past, it was thought that Emotet only spreads through spam and infected networks, and this type of loader can spread through nearby wireless networks. ” Networks if the networks use insecure passwords. “

While Wagenseil described it as feared, James Quinn, malware analyst for binary defense, gave even more reasons to become aware of the powers of Emotet:

“Emotet is a sophisticated trojan that normally also serves as a loader for other malware. An important functionality of Emotet is the ability to provide custom modules or plugins that are suitable for specific tasks, including theft of Outlook contacts or the spreading via a LAN. “”

And Sergiu Gatlan in BleepingComputer on February 7th thought of more memories. “The Emotet Trojan ranked first among the top 10 most common threats created by the Any.Run interactive malware analysis platform in late December,” he wrote, “tripling the number of uploads to analyze next malware family in. ” her top, the agent Tesla Info-Stealer. “

Gatlan also reported that the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning “about increasing activity related to targeted Emotet attacks … and recommending administrators and users to check the Emotet malware warning for guidance” ,

Binary Defense found that WiFi propagation behavior has gone unnoticed for almost two years.

How can that be?

TechRadarAnthony Spadafora mentioned two reasons because (1) the binary was rarely deleted. He wrote: “According to Binary Defense, January 23, 2020 was the first time the company watched the file provided by Emotet, even though it had been included in the malware since 2018.” (2) Its ability to continue without being detected could have been that “the module showed no propagation behavior on the virtual machines and automated sandboxes without Wi-Fi cards that researchers use to analyze new types of malware”.

Tom’s leader provided a detailed overview of how Emotet works.

Once Emotet is installed on a PC, “worm.exe” checks how many Wi-Fi networks are within range. The step fails on Windows XP, but not on later versions of Windows. Emotet tries to crack access passwords for any nearby Wi-Fi network “by pulling them one at a time from a precompiled list of likely passcodes until one works”.

Then let the spread begin:

“Once access to a network was granted, Emotet sends the network name and password of the newly cracked network to its command and control server and appears to add the information to a main list of hacked Wi-Fi networks.

“Then the malware deletes the existing Wi-Fi connection of your host PC and connects the PC to the newly connected network. Emotet then searches for connected Windows computers. It then tries to find the Windows user names and user passwords on each newly infected computer brutally force to draw from another precompiled list of likely text strings. ”

Wagenseil said that in addition to weak Wi-Fi passwords, it also appears in infected email attachments.

Quinn’s final comments on his binary defense discussion included advice on using strong passwords to secure wireless networks so that malware like Emotet could not gain unauthorized access to the network.

Quinn also underlined detection strategies for this threat, which would include “actively monitoring endpoints for newly installed services and investigating suspicious services or processes running out of temporary folders and application folders for user profile applications.” He also said that network monitoring is an effective detection “because the communication is unencrypted and there are recognizable patterns that identify the content of malware messages.”

