Really? For the last two years, we all missed the spreading of a destructive malware?

The U.S. Department of Homeland Security defined Emotet ( as follows: "Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors."

However, Emotet is an old Trojan introduced six years ago. We always thought that it propagated via Spam and social engineering.

On February 7, 2020, James Quinn, a Threat Researcher and Malware Analyst for Binary Defense, published a new way for Emotet spreading technique: "Emotet evolves with new WiFi spreader".

For the first time, we learned that Emotet is spreading to nearby WiFi networks and compromise computers on them. This new Emotet behavior "upgrade" one of the most versatile malware threats to one of the most highly infectable threat.

How "new" is it?

According to Binary Defense, the new WiFi infection code has been running unnoticed for close to two years. Binary Defense observed the code for the first time on Only on January 23, 2020.

What is so unique in early 2018 that Emotet owners exploit WiFi techniques?

In November 2017, two researchers published a fast way to crack any WPA2 encryption - the best WiFi encryption to that date. The KRACK Attack was improved dramatically during the first quarter of 2018. This news attracted a lot of attention from everyone, including the attackers.

It may encourage the attackers to use WiFi as a massive spreading vehicle, knowing that organization and cybersecurity products, left the WiFi security behind with no monitoring capabilities.

There are no WiFi cybersecurity products, except basic monitoring functionality that Access Point provides. Vendors such as Cisco, Aruba, and Fortinet - allows stopping the work of an Access Point to monitor the network; however, their security function are more than ten years old, this shutdown the Acces Point Networking function.

WiFi network owners, cannot stop the work of the Access Point, as this prevents the networking.

The Krack attack also was the trigger for me to start WifiWall.

The Emotet malware is like a missile, carrying different payloads. The Emotet developer keeps improving and updating the payload, and now dramatically improved the missile.

The question that is yet to be answered is how many WiFi attacks are out there and cannot be discovered due to a lack of Cyber defender in this domain.

Does Emotet relate to the Wuhan coronavirus?

In a recent targeted phishing campaign, Emotet sent a spoof CDC email including links and attached infected documents that then infect the victims. Not related, but related.

  • White Facebook Icon
  • linkdin-01
  • White Twitter Icon
  • White Instagram Icon