A new wave of Emotet malware campaign With New Wi-Fi Spreader takes advantage of the wlanAPI interface to enumerate all Wi-Fi networks in the area and spreads the infection.
The Emotet is a banking Trojan detected in the year 2014, it was designed to steal sensitive and private information.
It is one of the most dangerous malware and it is capable of delivering payloads based on the specific tasks. It’s warm like capability helps to spread rapidly with other connected computers.
Emotet primarily distributed through social engineering techniques such as the emails with the links to download the malware.
With the new Emotet campaign it arrives with a new Wi-Fi Spreader module downloads to the system C:ProgramData. The downloaded binary contains a self-extracting RAR that has two (service.exe and worm.exe) binaries to spread the infection through WiFi.
The worm.exe is the executable used for spreading the malware, once it executed it copies the service.exe to a variable for using it while spreading.
Then it calls wlanAPI.dll class that used by Native Wi-Fi to manage the wireless network profiles and connections for spreading the infection to other networks.
“The Worm enumerates all Wi-Fi devices currently enabled on the local computer, which it returns in a series of structures. These structures contain all the information relating to the Wi-Fi device, including the device’s GUID and description,” read the Binary Defense analysis.
It gathers possible information from every available Wi-Fi network present in the list of networks.
Breaking Weak Wi-Fi Network
Once the connection established with the Wi-Fi network it enumerates users and attempts brute-force for all users on the network.