• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Emotet Evolves to Gain the Wi-Fi Attribute

February 14, 2020 By Trevor Collins

 

 

A recent addition to the Emotet botnet, found by Binary Defense, enables this malware to spread through Wi-Fi networks. This differs from previous versions of Emotet where it only targeted local wired networks. The Emotet botnet started off as a banking trojan in 2014. Early on, it spread by email and would resend itself to its victims’ contact lists. Later, the botnet progressed to spreading additional malicious payloads, such as ransomware. Now, it has evolved once again, this time to exploit vulnerable Wi-Fi hotspots. Like many botnets, the criminal hackers behind Emotet can configure it with different modules to do a variety of malicious acts.

Before this update, Emotet already had basic worm-like spreading capabilities. If it detects a connected wired network, it tries to spread to other devices on that network using default passwords or basic password brute-forcing. This updated version, however, includes a new and unique Wi-Fi spreader, which allows the malware to jump onto insecure wireless networks like the ones found at many public Wi-Fi hotspots.

Here’s how it works:

  1. Emotet leverages the victim’s wireless adapter to enumerate the local Wi-Fi signal space, and creates a list of any wireless networks (SSIDs) it finds. The victim’s device doesn’t have to connect to any of the found networks for this Wi-Fi enumeration to take place.
  2. Once the malware identifies potential target networks nearby, it attempts to connect to them using a list of common Wi-Fi passwords. If it’s successful connecting to one, it starts the next phase of its attack.
  3. Once connected to a victim Wi-Fi network, Emotet looks for other connected devices and any publicly shared folders they might expose. If it finds one, it launches a different type of brute-force attack, this time trying to connect to the share with common users and password.
  4. If Emotet succeeds in connecting to any shares found on the Wi-Fi network, it loads a copy of itself onto that share and leverages Windows network commands to try and launch that new copy. If it succeeds, the process starts all over on a new victim.
  5. Finally, the malware also sends information about the Wi-Fi scans and new victim systems to its command and control (C&C) Once the spreading phase is complete, Emotet remains as a bot client connected to the botnet via a C&C. The criminals behind it then have full control of the victim computer and are capable of launching any malicious action depending on what Emotet modules they‘ve installed.

 

You can prevent your wireless networks from succumbing to Emotet’s Wi-Fi spreader using basic Wi-Fi access point (AP) security practices. If you manage a Wi-Fi network, make sure to protect it using the latest WPA3 security and a long password greater than 15 characters. That should prevent a random Emotet-infected computer near your AP from being able to brute-force your SSID password.

WatchGuard’s secure APs, including Cloud Wi-Fi APs, have a number of additional security features that also help protect you from parts of this Wi-Fi attack. For instance, AP client isolation can prevent Wi-Fi clients from communicating directly with one another, even when connected to the same AP. This would prevent an Emotet-infected computer that’s connected to a guest network from being able to find and infect other guests.

Wi-Fi Cloud APs also include powerful Wireless Intrusion Prevention (WIPS) features, including Neighbor AP protection. Enabling this feature prevents your users from connecting to any neighboring wireless networks within range of your office. If one of your wireless users was infected by Emotet, this would prevent that user from connecting to and infecting other Wi-Fi networks nearby. That said, it would keep the infected computer on your network, which may still be at risk, but at least it also prevents collateral damage. If you’d like to learn more about our strong WIPS features, check out our Trusted Wireless Environment page.

Good wireless security practices and WatchGuard’s Secure APs can help, but it’s still best to have security controls in place that prevent Emotet infections in the first place. Remember to implement strong anti-malware solutions (like those found in WatchGuard’s Total Security package) at a network and endpoint level. Our proactive malware detection should prevent the latest Emotet from reaching into your network.

 

Share This:

Related

Filed Under: Editorial Articles, Uncategorized

Comments

  1. Donald Gulling says

    February 18, 2020 at 12:57 pm

    This is an excellent and timely article on Wi-Fi security. Kudos to the WatchGuard team for a quick response to an important issue.

    I also love the free advice – using WPA3 and a long password to prevent the spread of this attack – WatchGuard looking out for folks like they always do!

    Of course Secure APs are an even better choice – I think client isolation will end up being a critical defense component against future attacks that use a similar propagation method.

    Reply
    • Trevor Collins says

      February 19, 2020 at 12:45 pm

      Glad you found this advise useful. Agreed that client isolation stops this attack best. That and an updated local antivirus.

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use