Emotet’s New Module Searches for Victims via Wi-Fi Networks

Delaware, USA – February 10, 2020 – Emotet once again confirms the reputation of “threat number one” in cyberspace: the new self-spreading module allows the malware to connect to Wi-Fi networks and infect more systems. Now we have one more reason not to use free Wi-FI in public places. Researchers at Binary Defense have discovered and analyzed a module that Emotet began delivering since January 23rd, they suggest that it could have been used in attacks for about two years. The module uses wlanAPI.dll calls for spreading, it discovers available wireless networks and can brute-force password-protected ones. After the connection of the infected system to another network, the malicious component searches for Windows machines with non-hidden shares. Then it scans for accounts and attempts to guess the passwords for the retrieved users. If the module succeeds in compromising the system, it drops the service.exe file and installs “Windows Defender System Service” to achieve persistence.

The analyzed module was compiled in April 2018, at about the same time it was uploaded to VirusTotal, but until recently it was not spotted in the wild. Perhaps the reason is that Emotet does not download the module to systems without a Wi-Fi card. The malware periodically goes on vacation, each time returning with an armful of new tricks and massive spam campaigns.

Rules to detect this malware available on Threat Detection Marketplace:
Emotet Trojan detector (Sysmon) – https://tdm.socprime.com/tdm/info/Dg6aXfaxOLWX/
Emotet Process Creation – https://tdm.socprime.com/tdm/info/9U8NXanTx6TC/