Samples of the malicious downloader Emotet have begun to surface with the ability to internally propagate, using credential brute-force techniques.
The latest evolution of the trojan, which typically drops credential stealers and banking trojans, was reported today in a Fidelis Cybersecurity blog post that suggests the actors behind the campaign may have been inspired by the Wannacry and NotPetya malware attacks that leveraged worm capabilities in order to spread rapidly across networks.
“It stands to reason that crimeware authors have taken note of the broad impact observed in these particular events and are looking to incorporate spreader components in their toolkits,” the post reads. “The Wannacry and Petya campaigns have clearly demonstrated how inclusion of other techniques like credential dumpers (Mimikatz) and exploits (EternalBlue) can greatly accelerate propagation across enterprises.”
Fidelis researchers started to suspect that some versions of Emotet became wormable over a month ago. Further research yielded the discovery of a self-extracting RAR file containing two files, including a “spreader bypass” component. This component, Fidelis explains, is “responsible for enumerating network resources to find shares that it can write to or trying to brute credentials so it can write. After finding available systems it then writes the service component and creates a service on the remote system.”
Because the spreader package in the newer, wormable Emotet variant is not wrapped in the manner that traditional versions are, Fidelis researchers theorize that this package may not actually be a direct component of Emotet, but rather something that is delivered by one specific threat actor using the malware.