While tracking Emotet activity, Binary Defense’s analysts found that Emotet dropped a Wi-Fi spreader that used brute-force password guessing, contained inside a self-extracting RAR file. Inside the RAR file were two files, worm.exe and service.exe, which were used to spread Emotet over Wi-Fi.
Using an internal password list, worm.exe attempts to brute-force access to any nearby Wi-Fi network. If the attempt is successful, worm.exe sends the network name and password to a hard-coded Command and Control (C2) server and then attempts to brute-force access to any computers on the network. For any computer that is successfully accessed, worm.exe will install service and drop service.exe to be executed by the newly-created service. Service.exe contains an embedded Emotet binary, which is dropped and executed, installing Emotet on the remote system.
Analyst Notes
Because the key attack vector for this malware is finding and abusing insecure passwords, Binary Defense recommends using strong passwords for both Wi-Fi networks and user accounts on computers. One of the most effective ways to catch Emotet is to deploy Endpoint Detection and Response products that will help identify Emotet infections before they can spread.
A complete technical explanation of how the malware works will be published on the Binary Defense blog: https://www.binarydefense.com/blog/
