Emotet Hacks Nearby Wi-Fi Networks to Spread to New Victims

Now recently new Trojan discovered by the researcher which was developed to infect the other devices which are connected over an insecure WiFi network. 

This Trojan named as Emotet Trojan and starts spreading process by using wlanAPI.dll calls to discover wireless networks around an already infected Wi-Fi-enabled computer and attempting to brute-force its way in if they are password protected.


Once the Trojan is successfully connected to the device it starts searching for the new Windows device its non-hidden shares.

As it is connected to the new device it starts its brute-force attack for the administrative accounts and all other users it can retrieve.

After successfully breaking into an account, the worm drops a malicious payload in the form of the service.exe binary onto the victim's computer and installs a new service named "Windows Defender System Service" to gain persistence on the system.











 

How Does Emotet's Wi-Fi Spreader Module Work?


  • The updated version of the malware works by leveraging an already compromised host to list all the nearby Wi-Fi networks. To do so, it makes use of the plan API interface to extract the SSID, signal strength, the authentication method (WPA, WPA2, or WEP), and mode of encryption used to secure passwords.
  • On obtaining the information for each network this way, the worm attempts to connect to the networks by performing a brute-force attack using passwords obtained from one of two internal password lists. Provided the connection fails, it moves to the next password in the list. It's not immediately clear how this list of passwords was put together.
  • But if the operation succeeds, the malware connects the compromised system on the newly-accessed network and begins enumerating all non-hidden shares. It then carries out the second round of brute-force attack to guess the usernames and passwords of all users connected to the network resource.
  • After having successfully brute-forced users and their passwords, the worm moves to the next phase by installing malicious payloads — called "service.exe" — on the newly infected remote systems. To cloak its behavior, the payload is installed as a Windows Defender System Service (WinDefService).
  • In addition to communicating with a command-and-control (C2) server, the service acts as a dropper and executes the Emotet binary on the infected host.
  • The fact that Emotet can jump from one Wi-Fi network to the other puts onus on companies to secure their networks with strong passwords to prevent unauthorized access. The malware can also be detected by actively monitoring processes running from temporary folders and user profile application data folders.




Comments

Popular posts from this blog

Some Dark web Links

How to join Cyber Cell or Cyber Crime Department in India || Exam or Direct or Skills???

ATM HACKING TOOL TRENDING ON DARK WEB