Researchers uncovered another new wave of WiFi Spreader campaign from the Emoter malware family that was observed being delivered to multiple bots.
Last month we have reported a previous Emoter campaign that taking advantage of wlanAPI interface to enumerate all Wi-Fi networks in the area and spreads the infection.
Researchers observed a newly updated version of the WiFi Spreader that has changed from a stand-alone program into a full-fledged module of Emotet with some other functionality improvements.
Attackers spreading this module with the changes that let Emotet loader downloads from a server instead of bundling the Emotet loader with the spreader.
Changes in the New Version
Attackers applied new changes in WiFi Spreader module without changing the key functionality of the malware.
“Also, they have increased the logging capability of the spreader, allowing Emotet’s authors to get step-by-step debugging logs from infected machines through the use of a new communication protocol.”
Without affecting the overall spreader functionality, malware authors added in more verbose debugging, while also making the spreader more versatile in the payloads that it downloads.
During the infection, the new Wifi spreader module failed to brute force the c$ share, instead, it attempts to brute-force the ADMIN$ share in the compromised network.
Before attempting the brute-forcing the C$/ADMIN$, a service binary download from the hardcoded IP and install it remotely.
According to the Binary defense report, “Upon startup of Service.exe, the malware connects out to the same gate.php used by the spreader and sends the debug string “remote service runned Downloading payload…”. Next, it attempts to connect to a hardcoded C2 where it pulls down the Emotet binary, saving the downloaded file as “firefox.exe.” “
Finally, Emotet malware downloaded from the C2 server, in response, Service.exe sends an acknowledgment “payload downloaded ok” to the C2 before executing the dropped file, also it ensures that the downloaded loader has the most recent Emotet loader, which is one of the effective methods to evade the detection, and avoid raising the flag to the security software.
Researchers believe that this wifi spreader is under development process also the drop name for the Emotet loader (firefox.exe) was also present.
You can read the previous version of the WiFi spreader for more details about the infection path.