Threat Watch

Share on facebook
Share on twitter
Share on linkedin

Emotet Evolves With Wi-Fi Spreader

While tracking Emotet activity, Binary Defense’s analysts found that Emotet dropped a Wi-Fi spreader that used brute-force password guessing, contained inside a self-extracting RAR file. Inside the RAR file were two files, worm.exe and service.exe, which were used to spread Emotet over Wi-Fi.

Using an internal password list, worm.exe attempts to brute-force access to any nearby Wi-Fi network.  If the attempt is successful, worm.exe sends the network name and password to a hard-coded Command and Control (C2) server and then attempts to brute-force access to any computers on the network. For any computer that is successfully accessed, worm.exe will install service and drop service.exe to be executed by the newly-created service. Service.exe contains an embedded Emotet binary, which is dropped and executed, installing Emotet on the remote system.

ANALYST NOTES

Because the key attack vector for this malware is finding and abusing insecure passwords, Binary Defense recommends using strong passwords for both Wi-Fi networks and user accounts on computers. One of the most effective ways to catch Emotet is to deploy Endpoint Detection and Response products that will help identify Emotet infections before they can spread. A complete technical explanation of how the malware works will be published on the Binary Defense blog: https://www.binarydefense.com/blog/

Contact Support

Please complete the form below and a member of our support team will respond as quickly as possible.