Emotet trojan spreads via Wi-Fi, capitalizes on coronavirus fea

  • Cybersecurity analysts are warning about a Trojan called ‘Emotet’ which can spread across Wi-Fi networks, loading a variety of malware payloads that threaten sensitive data. Here we explore how you can protect yourself.

    How has it spread?

    Emotet reemerged in late 2019, having initially been spotted in 2018, and spread via phishing emails with Microsoft documents attached containing malicious code embedded within. More recently, hackers have used the ongoing coronavirus crisis as a means to spread malware. 

    The hackers pose as regional health officials and scare targets with tailored messages in order to force them to open the attached Microsoft Word Document which purportedly contains updates and health information on the ‘coronavirus outbreak’ in the area. So far, the attacks have mainly focused on Japan and other regions closer to China, but experts warn that, as the coronavirus spreads, so too will Emotet. 

    “We expect to see more malicious email traffic based on the coronavirus in the future, as the infection spreads,” IBM researchers studying Emotet says.

    How does it work?

    Emotet will infect a computer, and then identify all adjacent Wi-Fi networks, which it then targets with brute force attacks, using a stored database of ‘educated guess’ passwords to try and crack them. 

    Once it has connected to a Wi-Fi network and identified all potential target users and devices, it ‘sleeps’ for 14 seconds to avoid raising any suspicion before attacking, leaving the system administrator until last to avoid raising the alarm too early. It collects all successful username and password combinations as it goes and adds them to its ever-growing database for future deployment in subsequent brute force attacks. 

    Emotet was first submitted to the VirusTotal database on 05/04/2018, which suggests it may have been sneaking around Wi-Fi networks undetected for two years. However, the first officially recorded case of the Trojan infecting a device was on 01/23/2020. 

    What’s the fix?

    As always, analysts recommend using stronger passwords to secure wireless networks while also improving monitoring of any and all new services installed on network-connected devices.

    In addition, they recommend a thorough investigation of any suspicious or inexplicable services or processes running from temporary or user profile application data folders and a purge of any and all extraneous programs or scripts which may, in fact, be malware such as Emotet. 

    Furthermore, the actual malware content messaging used by Emotet, once a network has been infected, is unencrypted and the pattern is easily recognizable, so close, well-informed monitoring by network administrators should catch the malware with relative ease before it can spread any further.