Emotet and Wi-Fi Part 1

Emotet malware may have been discovered in 2014, but it has evolved and is now considered one of the top internet threats. In the first of a two-part series, Heather “Mo” Williams explains the evolution of Emotet and its new capabilities.

This the first in a two-part blog series on the Emotet malware. The second part will run on February 28, 2020.

What is Emotet?

Emotet is the name of both a strain of malware and the cybercrime operation behind the malware. The U.S. Computer Emergency Readiness Team (US_CERT) describes Emotet as “an advanced, modular banking Trojan” that is “among the most costly and destructive malware” for both public and private organizations.

CLICK TO TWEET: CommScope’s Heather “Mo” Williams explains the evolution of Emotet and its new capabilities.

When Emotet was first discovered in 2014 it functioned primarily to steal banking credentials.  The initial delivery mechanism was a spam email with an attachment with a malicious macro.  The email campaigns themselves have grown in sophistication over the last few years with Emotet scraping old and new victims’ emails including contacts, signature lines, and entire email threads and is capable of creating templates that quote from emails sent or received and addressing new targets by name.

Emotet Figure 1

Figure 1: Flow of Emotet Context-Aware Phishing Campaign*

*Source: https://www.kryptoslogic.com/blog/2019/04/emotet-scales-use-of-stolen-email-content-for-context-aware-phishing/

The malicious macro operates as a RAT (remote administration tool) client that has very basic functions (DL/execute, DL/update, and uninstall).  The very lack of advanced malware capabilities, like a keylogger or webcam viewer helps keep Emotet undetected for extended periods of time and its modularity has allowed Emotet to be evolved to deliver a variety of malware.

Once the macro connects back to a C2 (command and control) server, the second stage payloads are downloaded. These second stage payloads can be any kind of executable code.  Initially these were executables that were designed to steal credentials and perform a lateral movement across the network. 

A few years ago, Emotet operators evolved it to create a botnet that they now sell access to in a Malware-as-a-Service (MaaS) model. For example, they are known to rent access to ransomware operators, such as Ryuk, which specifically targets large enterprises, and TrickBot, which is another banking Trojan. As of September 2019, the Emotet operation is running on top of three different botnets (Epoch 1, 2, and 3) and has been one of the top and most versatile Internet threats for the last 5 years.  The operators regularly evolve the phishing campaigns including a recent spam run that quotes from past emails the recipient has sent or received and addresses the recipient by name.

Emotet Figure 2

Figure 2: https://www.zerodayclothing.com/

Emotet’s New Capability

After the initial infection vector, Emotet’s lateral movement capabilities allow it to act like a worm and infect other computers on the same network using exploits or mounted shares.  In February 2020, security researches announced that Emotet has adopted a new lateral movement vector by using already compromised devices to infect devices connected to nearby Wi-Fi networks.

Think of someone with a viral infection walking into your office. His particular strain requires direct contact in order to spread, so unless you shake his hand, you remain healthy. Now evolve his viral strain so that it is airborne. All he has to do is be in the lobby and breathe in order to spread his viral payload.

Previously, for Emotet to spread through an organization after an initial compromise (by clicking on a phishing email’s attachment) the lateral movement happened over the wire to shared drives or to servers using a variety of exploits. Now the initial infected machine can (potentially) spread to other devices on the same Wi-Fi network.

The new attack vector starts with a previously infected laptop and uses the wlanAPI (a library installed on every Windows machine) to enumerate nearby Wi-Fi networks. This builds a profile of every SSID the laptop can hear including signal strength and the encryption method used. Emotet then uses a password dictionary to guess commonly used default username and password combinations.  Essentially this is a brute force attack.

If the malware successfully gains access to the WLAN, all non-hidden devices on that WLAN are then enumerated and a second dictionary is used to attempt to brute force the credentials for each of those clients. If successful, it will then infect that device.  It will also attempt to gain administrator access to the WLAN infrastructure devices. Once a device is infected, it reports into a C2 server to confirm installation.

Emotet Figure 3

Figure 3: Wi-Fi Spreader Overview*

*Source: https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/

Stay tuned for part two of this series on Emotet to find out what is under the hood and how CommScope’s Ruckus solutions can help.