A recently spotted Emotet Trojan sample features a Wi-Fi worm module that allows the malware to spread to new victims connected to nearby insecure wireless networks according to researchers at
Binary Defense.
This newly discovered Emotet strain starts the spreading process by using wlanAPI.dll calls to discover wireless networks around an already infected Wi-Fi-enabled computer and attempting to brute-force its way in if they are password protected.
Once it successfully connects the compromised device to another wireless network, the worm will start finding other Windows devices with non-hidden shares.
Next, it scans for all accounts on those devices and tries to brute-force the password for the Administrator account and all the other users it can retrieve.
After successfully breaking into an account, the worm drops a malicious payload in the form of the
service.exe binary onto the victim's computer and installs a new service named "Windows Defender System Service" to gain persistence on the system.
