Friday, March 29, 2024

New Emotet Malware Campaign Spread The Infection Across The Network Clients Via WiFi Spreader

Researchers uncovered another new wave of WiFi Spreader campaign from the Emoter malware family that was observed being delivered to multiple bots.

Last month we have reported a previous Emoter campaign that taking advantage of wlanAPI interface to enumerate all Wi-Fi networks in the area and spreads the infection.

Researchers observed a newly updated version of the WiFi Spreader that has changed from a stand-alone program into a full-fledged module of Emotet with some other functionality improvements.

Attackers spreading this module with the changes that let Emotet loader downloads from a server instead of bundling the Emotet loader with the spreader.

Changes in the New Version

Attackers applied new changes in WiFi Spreader module without changing the key functionality of the malware.

“Also, they have increased the logging capability of the spreader, allowing Emotet’s authors to get step-by-step debugging logs from infected machines through the use of a new communication protocol.”

Without affecting the overall spreader functionality, malware authors added in more verbose debugging, while also making the spreader more versatile in the payloads that it downloads.

During the infection, the new Wifi spreader module failed to brute force the c$ share, instead, it attempts to brute-force the ADMIN$ share in the compromised network.

Before attempting the brute-forcing the C$/ADMIN$, a service binary download from the hardcoded IP and install it remotely.

WiFi Spreader
 Spreader bruteforcing code

According to the Binary defense report, “Upon startup of Service.exe, the malware connects out to the same gate.php used by the spreader and sends the debug string “remote service runned Downloading payload…”. Next, it attempts to connect to a hardcoded C2 where it pulls down the Emotet binary, saving the downloaded file as “firefox.exe.” “

Finally, Emotet malware downloaded from the C2 server, in response, Service.exe sends an acknowledgment “payload downloaded ok” to the C2 before executing the dropped file, also it ensures that the downloaded loader has the most recent Emotet loader, which is one of the effective methods to evade the detection, and avoid raising the flag to the security software.

Researchers believe that this wifi spreader is under development process also the drop name for the Emotet loader (firefox.exe) was also present.

You can read the previous version of the WiFi spreader for more details about the infection path.

Follow us on TwitterLinkedinFacebook for Daily cyber security & hacking news updates.

Website

Latest articles

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles