Binary Defense: Emotet is still evolving and uses WiFi networks as a dissemination vector, thanks to a new payload that uses the wlanAPI interface to enter the system and run malware
Emotet is still evolving and now uses WiFi networks as a vector of diffusion. Binary Defense cyber security experts found out. The researchers identified a new payload that uses the wlanAPI interface to enumerate Wi-Fi networks and subsequently spread by infecting the devices it can access. Finally, once it reaches the system, it releases and runs the malware. The binary from which it all begins is a self-extracting RAR that contains two files: worm.exe and service.exe. The first one takes care of profiling the networks through a call to the WlanEnumInterfaces function of the wlanapi.dll library and then exploits the WlanGetAvailableNetworkList function to obtain a list of all available networks. Having gathered the information, it tries to force the passwords of the networks through an internal list. If it can access, it contact the C2 server to which it provides the information obtained.
Cyber Security Experts: For the Trojan authors, this is a big news. This, in fact, has so far been widespread only with targeted campaigns. It is assumed that the malicious code will evolve further
According to cyber security experts, at this point the cybercrime tool tries to force passwords for all users on the network (including any administrator accounts) using a second list, which is also hard-coded. If the outcome of the operation is successful, the worm.exe file copies and executes the service.exe file on the system by renaming it my.exe. The latter informs the C2 server that the service is running and releases Emotet which it keeps inside system.exe. For the Trojan, this type of diffusion is a great novelty, since so far the malware was distributed only through targeted campaigns. It means that the developers still intend to use it and that in the future there may be other variants with additional capabilities.