A newly-found variant of the feared Emotet Trojan hops from one Wi-Fi network to the next, giving it the power to spread as a Wi-Fi worm through offices and apartment buildings.
Fortunately, the malware's spread is easy to stop if you have good, strong passwords on all your routers and Windows PCs.
"Previously thought to only spread through malspam [spam email infected with malware] and infected networks, Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords," said a technical analysis posted late last week by Ohio-based security firm Binary Defense, which discovered the variant.
"Binary Defense's analysts recommend using strong passwords to secure wireless networks so that malware like Emotet cannot gain unauthorized access to the network," the report adds.
Another tool in the collection
Emotet is a jack-of-all-trades strain of malware that began life in 2014 as a banking Trojan, but later added the abilities to steal personal information, install ransomware, form botnets and download other pieces of malware.
It's been one of the most aggressive malware campaigns of the past few years. In a report released Feb. 11, Malwarebytes noted that Emotet activity jumped 375% in 2019 alone. Most recently, it's been spotted using both the ongoing Wuhan coronavirus scare and the Christmas holidays as lures to get people to open booby-trapped email attachments.
The Emotet name also refers to the criminal operation responsible for the development and distribution of the malware and the leasing of its botnet operations. (It must be a small group -- the Emotet operators took three months off in the summer of 2019, and then another month off around Christmas.)
The ability to spread between Wi-Fi networks may have been added to Emotet's toolkit as long ago as April 2018, judging by a timestamp found by Binary Defense.
"This hints that this Wi-Fi spreading behavior has been running unnoticed for close to two years," says the Binary Defense report.
Relying on user laziness
However, it's not like Emotet has a magic ability to break Wi-Fi network defenses. It just takes advantage of lousy passwords.
When this variant of Emotet is installed on a PC, a component called "worm.exe" checks to see how many Wi-Fi networks (other than the one the infected PC is already linked to) are with range. (This step fails on Windows XP but not later versions of Windows.)
Then Emotet uses brute force to try to crack the access passwords of each nearby Wi-Fi network, pulling them from a precompiled list of likely passcodes one after another until one works.
Once it's granted access to a network, Emotet sends the network name and password of the newly cracked network up to its command-and-control server, apparently adding the information to a master list of hacked Wi-Fi networks.
Then the malware ditches its host PC's existing Wi-Fi connection and connects the PC to the newly linked network, after which Emotet scans for connected Windows machines. It then tries to brute-force the Windows usernames and user passwords on each newly infected machine, drawing from another precompiled list of likely text strings.
If that fails, Emotet switches to trying to brute-force the passwords of any Windows accounts with the username "Administrator," and the cycle of evil begins again.
How to stop Emotet from spreading
The upshot is that if you have strong, unique passwords on your home Wi-Fi network and for the user accounts on your Windows PCs, then you're pretty well protected against malware jumping over from a neighboring network.
Emotet will focus instead on your neighbors who don't use such good passwords, or who never changed the factory-default access passwords when they set up their routers. That just makes things that much easier for hackers.
Taking advantage of weak Wi-Fi passwords is just one of the ways in which Emotet spreads, however. It most frequently shows up in an infected email attachments and also spreads among machines on a local network.
To really protect yourself from Emotet, no matter how it arrives, you need to be running some of the best antivirus software.