The researchers found a new one WiFi Spreader campaign distributing it Emotet malware. Last month another Emotet campaign was launched that exploited the wlanAPI interface to affect all networks WiFi of the area and spread the malicious software.
The researchers noticed a new one updated version of WiFi Spreader transformed from a stand-alone program in a fully advanced Emotet feature with many improved features.
Changes to the new version
The attackers brought changes to WiFi Spreader module, but without changing the basics functions of malware.
“They have also improved the spreader logging capability, enabling Emotet creators to acquire debugging logs from infected machines, through the use of a new communication protocol ”.
Without affecting the overall functionality of the spreader, its creators malware they entered verbose debugging, and made the spreader more flexible in terms of payloads it can upload to systems.
During the infection, the new Wifi spreader module cannot make its brute force c $ share, but trying to make his brute-force ADMIN $ share in the broken network.
Before proceeding to the brute-force of C $ / ADMIN $, the spreader tries to download, from a hardcoded IP, a binary service and installs it remotely. If it cannot download the binary, it sends the debug string "error downloading file".
According to Binary defense: “At the start of Service.exe, the malware software connects to the same gate.php used by the spreader and sends the debug string “remote service runned Downloading payload….”. It then attempts to connect to a hardcoded C2 where it installs the Emotet binary, storing the download file as "firefox.exe".
End, C2 downloads Emotet malware server and Service.exe sends a "payload downloaded ok" confirmation to C2 before executing the dropped file.
The researchers believe that this wifi spreader is still under development.