A recent addition to the Emotet botnet, found by Binary Defense, enables this malware to spread through Wi-Fi networks. This differs from previous versions of Emotet where it only targeted local wired networks. The Emotet botnet started off as a banking trojan in 2014. Early on, it spread by email and would resend itself to its victims’ contact lists. Later, the botnet progressed to spreading additional malicious payloads, such as ransomware. Now, it has evolved once again, this time to exploit vulnerable Wi-Fi hotspots. Like many botnets, the criminal hackers behind Emotet can configure it with different modules to do a variety of malicious acts.
Before this update, Emotet already had basic worm-like spreading capabilities. If it detects a connected wired network, it tries to spread to other devices on that network using default passwords or basic password brute-forcing. This updated version, however, includes a new and unique Wi-Fi spreader, which allows the malware to jump onto insecure wireless networks like the ones found at many public Wi-Fi hotspots.
Here’s how it works:
- Emotet leverages the victim’s wireless adapter to enumerate the local Wi-Fi signal space, and creates a list of any wireless networks (SSIDs) it finds. The victim’s device doesn’t have to connect to any of the found networks for this Wi-Fi enumeration to take place.
- Once the malware identifies potential target networks nearby, it attempts to connect to them using a list of common Wi-Fi passwords. If it’s successful connecting to one, it starts the next phase of its attack.
- Once connected to a victim Wi-Fi network, Emotet looks for other connected devices and any publicly shared folders they might expose. If it finds one, it launches a different type of brute-force attack, this time trying to connect to the share with common users and password.
- If Emotet succeeds in connecting to any shares found on the Wi-Fi network, it loads a copy of itself onto that share and leverages Windows network commands to try and launch that new copy. If it succeeds, the process starts all over on a new victim.
- Finally, the malware also sends information about the Wi-Fi scans and new victim systems to its command and control (C&C) Once the spreading phase is complete, Emotet remains as a bot client connected to the botnet via a C&C. The criminals behind it then have full control of the victim computer and are capable of launching any malicious action depending on what Emotet modules they‘ve installed.
You can prevent your wireless networks from succumbing to Emotet’s Wi-Fi spreader using basic Wi-Fi access point (AP) security practices. If you manage a Wi-Fi network, make sure to protect it using the latest WPA3 security and a long password greater than 15 characters. That should prevent a random Emotet-infected computer near your AP from being able to brute-force your SSID password.
WatchGuard’s secure APs, including Cloud Wi-Fi APs, have a number of additional security features that also help protect you from parts of this Wi-Fi attack. For instance, AP client isolation can prevent Wi-Fi clients from communicating directly with one another, even when connected to the same AP. This would prevent an Emotet-infected computer that’s connected to a guest network from being able to find and infect other guests.
Wi-Fi Cloud APs also include powerful Wireless Intrusion Prevention (WIPS) features, including Neighbor AP protection. Enabling this feature prevents your users from connecting to any neighboring wireless networks within range of your office. If one of your wireless users was infected by Emotet, this would prevent that user from connecting to and infecting other Wi-Fi networks nearby. That said, it would keep the infected computer on your network, which may still be at risk, but at least it also prevents collateral damage. If you’d like to learn more about our strong WIPS features, check out our Trusted Wireless Environment page.
Good wireless security practices and WatchGuard’s Secure APs can help, but it’s still best to have security controls in place that prevent Emotet infections in the first place. Remember to implement strong anti-malware solutions (like those found in WatchGuard’s Total Security package) at a network and endpoint level. Our proactive malware detection should prevent the latest Emotet from reaching into your network.
This is an excellent and timely article on Wi-Fi security. Kudos to the WatchGuard team for a quick response to an important issue.
I also love the free advice – using WPA3 and a long password to prevent the spread of this attack – WatchGuard looking out for folks like they always do!
Of course Secure APs are an even better choice – I think client isolation will end up being a critical defense component against future attacks that use a similar propagation method.
Glad you found this advise useful. Agreed that client isolation stops this attack best. That and an updated local antivirus.