After successfully gaining access to a new Wi-Fi network, the infected device enumerates all non-hidden devices that are connected to it. Using a second password list, the malware then tries to guess credentials for each user connected to the drive. In the event that no connected users are infected, the malware tries to guess the password for the administrator of the shared resource.
One aspect of the new Wi-Fi spreader is out of keeping with Emotet’s usual penchant for stealth of sophistication. The module uses unencrypted connections to communicate with attacker-controlled servers. That makes it easy to detect patterns in traffic that people can use to detect infections. The malware can also be detected through active monitoring of connected devices for new services being installed and watching for any processes or services running from temporary files and user profile application data folders. The Binary Defense post provides other indicators of compromise.
I believe the wlanAPI is a Windows thing. Likewise the attempt to spread via the administrator password suggests Windows. So my guess would be “Windows”.
However the concept of the spreading works just as well on Linux as on Windows - and if you use default or weak passwords, it will work just as well.
The only minor benefit on Linux might be that a normal (no root access) user may not be able to scan for other networks. For single user Linux computers the user almost certainly does have root access i.e. you administer the computer yourself. On my computer the scan at least worked anyway.
So neverever use default passwords - and don’t use weak passwords (for example it can be good to download a list of weak passwords that intruders will automatically try and check your own passwords against the list if you don’t just use a long random password generator).
it’s called cracklib and is part of standard PAM (password policy enforcement) in addition to library api. Of course if app does not rely on pam it needs to use cracklib explicitly to verify for weak passwords.
Whether that’s open hardware depends on your hardware configuration / which computer you execute it on. I believe that the Librem Key has a built-in low bandwidth hardware source of true randomness. For most people, the hardware source will come with a requirement for an element of trust - whether that’s an ARM CPU, an Intel CPU or an external device.
I only use wifi on my home lan, games, tv streams, hackers can at worst use my netfluxhbo or Hulu or play a game on my steam.
For my work phone I use Work Lan over point to point loneof site data transfer.
More complicated to use but Lab is always safer the wireless, based on my experience.