Friday, December 27, 2024
HomeMalwareNew Emotet Malware Campaign Spread The Infection Across The Network Clients Via...

New Emotet Malware Campaign Spread The Infection Across The Network Clients Via WiFi Spreader

Published on

SIEM as a Service

Researchers uncovered another new wave of WiFi Spreader campaign from the Emoter malware family that was observed being delivered to multiple bots.

Last month we have reported a previous Emoter campaign that taking advantage of wlanAPI interface to enumerate all Wi-Fi networks in the area and spreads the infection.

Researchers observed a newly updated version of the WiFi Spreader that has changed from a stand-alone program into a full-fledged module of Emotet with some other functionality improvements.

- Advertisement - SIEM as a Service

Attackers spreading this module with the changes that let Emotet loader downloads from a server instead of bundling the Emotet loader with the spreader.

Changes in the New Version

Attackers applied new changes in WiFi Spreader module without changing the key functionality of the malware.

“Also, they have increased the logging capability of the spreader, allowing Emotet’s authors to get step-by-step debugging logs from infected machines through the use of a new communication protocol.”

Without affecting the overall spreader functionality, malware authors added in more verbose debugging, while also making the spreader more versatile in the payloads that it downloads.

During the infection, the new Wifi spreader module failed to brute force the c$ share, instead, it attempts to brute-force the ADMIN$ share in the compromised network.

Before attempting the brute-forcing the C$/ADMIN$, a service binary download from the hardcoded IP and install it remotely.

WiFi Spreader
 Spreader bruteforcing code

According to the Binary defense report, “Upon startup of Service.exe, the malware connects out to the same gate.php used by the spreader and sends the debug string “remote service runned Downloading payload…”. Next, it attempts to connect to a hardcoded C2 where it pulls down the Emotet binary, saving the downloaded file as “firefox.exe.” “

Finally, Emotet malware downloaded from the C2 server, in response, Service.exe sends an acknowledgment “payload downloaded ok” to the C2 before executing the dropped file, also it ensures that the downloaded loader has the most recent Emotet loader, which is one of the effective methods to evade the detection, and avoid raising the flag to the security software.

Researchers believe that this wifi spreader is under development process also the drop name for the Emotet loader (firefox.exe) was also present.

You can read the previous version of the WiFi spreader for more details about the infection path.

Follow us on TwitterLinkedinFacebook for Daily cyber security & hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a...

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated...

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms...

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a...

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated...

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...