Since their appearance. Emotet has been one of the most active family of malwares between the cyber criminals, who are constantly developing new versions of this malware. One of the newest samples of Emotet allows the hackers to spread through wifi networks without security in near locations of an infected device, said the specialists in network security.
In case of finding a close wifi network, Emotet can infec any connected device, which means a big attack potential for the developers of the malware. This new version of Emotet includes new engineering avoiding tactics to make malicious activities as the rebbery of credentials, trojans deployment, and others.
Although the first registers of this spreading binary wireless malware happened at the beginning of 2020, specialists in network security said that the launcher has a time mark from the 16th april 2018, which means that this attack vector kept unnoticed for almost 2 years.
This new version of Emotet infects the objective device with an autoremovable RAR archive that contains binaries (worm.exe and service.exe) used for the spreading via WiFi. After the decompression of the RAR archive, the binary worm.exe is automatically executed. After the execution, the binary begins to scan in search of other WiFi networks for its spread. Emotet uses the interface wlanAPI, used to administrate wireless network profiles and network connections.
To obtain the Wifi identifier, the malware calls WlanEnumInterfaces (a function to numerate all of the avaiable networks in the victims system). This function returns the numbered wireless networks in some structures that contains all of their details (SSID, signal, cypher, authentication method etc.)
When it ends the data gathering from every located network, Emotet deploys a “sheer force loop” to obtain access to the attacked networks; in case of not being able to establish a conection with the target network, the function repeats to the next network. Experts in network security have not discovered yet how the hackers got the password list, though it is possible that it is product of a data breach.
In case of finding the correct password and nailign down the connection, the malware keeps sleeping for around 15 seconds before sending an HTTP POST to the C&C of the attacker and establish the wifi network connection. For finish, it is given the incorporated Emotet exe, so the malware begins to infect every possible device.
Experts in cyber security from the Internation Institute of Cyber Security (IICS) say that one of the main protection ways against possible infections by Emotet is the establishment of secure passwords, because the list of passwords sued by the hackers must contain, in most cases, regular passwords for wifi devices.