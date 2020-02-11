Undoubtedly, the Emotet Trojan is the biggest malware threat today, both in terms of quantity (due to the huge spam campaigns) and the risk (due to the well-known history of allowing ransomware gangs to give themselves access to infected networks).

Historically, Emotet has worked by gaining a foothold in a company after carefree employees open Office documents with booby trapped that they receive via email.

As soon as they are infected, the Emotet trojan downloads several modules to spread laterally in a network.

In recent years, this “sideways movement” has been limited, with Emotet limited to computers and servers that are only on the same network.

Companies that have implemented good network segmentation can often limit the scope of an Emotet attack to a few departments or just a few computers.

Emotet gets a WiFi distributor

In a blog post published last week, however, security researchers from BinaryDefense have made a pretty important discovery that will certainly give many system administrators a headache for the near future – namely an Emotet module that can bridge the WiFi gap to nearby networks under certain circumstances.

The new “WiFi Spreader” module from Emotet (as it was called) does not guarantee a 100% infection rate, since it depends on users who use weak passwords for their WiFi networks, but it opens a new attack vector within infected companies that Emotet gang can exploit to maximize their reach.

This means that computers infected with Emotet now pose a danger not only to the own internal network of the infected company, but also to the networks of nearby companies that are in the physical vicinity of the original victim.

If someone in your area becomes infected with Emotet and you use a stupid password for your WiFi, then there is a chance that you will receive an unwanted gift from your neighbor in the form of an Emotet infection.

Before we continue with some interesting comments about the importance of this module and what this means for companies, we will summarize the modus operandi of the WiFi distributor:

Emotet infects a host

Emotet downloads and runs the WiFi spreading module

WiFi spreading module provides an overview of all Wi-Fi devices that are enabled on the host (usually the WLAN NIC)

Module retrieves a list of all locally accessible Wi-Fi networks

WiFi Distributor carries out a brute-force attack on each WiFi network using two internal lists of easily guessable passwords.

If the brute-force attack succeeds, the Emotet WiFi spreader now has direct access to another network, but no set foot on servers or workstations on that network.

The WiFi spreader takes on a second brute-force attack in an attempt to guess the usernames and passwords of servers and computers connected to this Wi-Fi network.

If this second brute-force attack succeeds, Emotet gains a foothold in a second network and the Emotet infection cycle starts all over again, with Emotet successfully bridging the gap between two networks via a WiFi connection.

Image: BinaryDefense

According to BinaryDefense, the WiFi distributor does not work on Windows XP SP2 and Windows XP SP3, mainly because the module uses a number of newer functions.

BinaryDefense says the WiFi spreader has a timestamp from April 16, 2018, suggesting it was developed almost two years ago, but until recently, when they first picked it up, it was never widely implemented or detected.

Considerations for companies

The discovery of this new Emotet module is big news at a number of levels – such as Wi-Fi security, shared workspaces and incident response investigations (IR).

WiFi security:

System administrators often use WiFi networks to segment parts of their networks into different sections, but still keep internet connectivity available for all employees.

With this new Emotet module, companies can no longer use WiFi networks with simplistic passwords in their headquarters. If the Emotet gang decides to deploy its WiFi spreading module, they can jump to nearby networks if those networks do not use a complex password.

Shared workspaces:

Not all companies can pay for their own headquarters. Companies that work in large office buildings, where they are near other WiFi networks, are now at risk.

If company A becomes infected with Emotet and the infected computer is within the range of the Wi-Fi network of company B, company B now runs the risk of becoming infected with Emotet, even if their employees have never been directly infected with Emotet.

IR surveys:

If you drop Emotet onto your network via Wi-Fi, this will probably complicate many investigations into incident responses. WiFi is not a traditional attack vector for Emotet, nor for many other types of malware.

In many cases, companies use simplistic passwords for internal Wi-Fi networks because they know that only employees are within reach to gain access. Companies may not know that they must use more complex Wi-Fi hotspot passwords to prevent future intrusions of Emotet.

Although a BinaryDefense investigator was not available for comment, the security vendor was pretty clear in his report last week when he said that Emotet was getting a huge boost in attack capabilities.

BinaryDefense warns companies to take precautions by securing WiFi networks with strong passwords, as this is the easiest way to defend themselves against the new WiFi module from Emotet.