A new version of a highly sophisticated Trojan that can spread via Wifi networks has been discovered. The Emotet Trojan that also acts as a loader for other malware has found to now take advantage of the wlanAPI interface to spread to all PCs on a network through the Wi-fi. The Trojan was previously known to spread only through spam emails and infected networks.
The ability of this Trojan to brute force its way into networks through Wi-fi from the infected PC has supposedly gone undetected for at least two years. When the malicious software enters into a system, it begins listing and profiling wireless networks using the wlanAPI.dll calls so that it can spread to any networks that are accessible. This is because the wlanAPI.dll calls are used by Native Wi-Fi to manage wireless network profiles and wireless network connections.
After this, the malware ascertains the authentication and encryption methods and uses brute-force to move into the connection. Once connected successfully, it relays a hard-coded HTTP POST to its Command and Control (C2) server. If the malware fails to guess the password, it attempts to brute-force the Administrator account. Once successful, the malware can access the C drive of the PC, where it installs other malware and ransomware, or siphon off personal data and other information.
The best-known way to prevent this Trojan from entering through a Wi-Fi network is by using strong passwords. The malware spreads through the network by forcing in through insecure passwords since it holds a repository of the previously breached networks. A complex, difficult to crack Wi-Fi password will prevent Emotet from further spreading into the network. Other measures for IT personnel would be to actively monitor any news services being installed in the temporary folders and application data folders since it is known to place setup.exe files in the TEMP folder.
Source: Binary Defense via WindowsCentral
13 Comments - Add comment