Emotet is one of the most dangerous malicious programs. It can steal bank accounts and install other types of other malicious programs. Recently, Emotet operators were found to be adopting a new method of spreading: via neighboring Wi-Fi networks. It uses an API called wlanAPI to collect the SSID, signal strength, and encryption method of a nearby wireless network, such as WPA, and then uses a list of common username and password combinations to try to log in.
If successfully logged in, the infected device will enumerate all non-hidden devices that connected to the network, and then use the second password list to guess the credentials of the connected device.
It will also try to guess the administrator password for the shared resource. If it successfully guesses the password of the connected device, it loads Emotet and other malicious programs. Weak password users are advised to change their passwords and use strong passwords.
“With this newly discovered loader-type used by Emotet, a new threat vector is introduced to Emotet’s capabilities,” researchers from security firm Binary Defense wrote in a recently published post. “Previously thought to only spread through malspam and infected networks, Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords.”