New Emotet Malware Variant Steals Credit Card Information From Chrome Browser
A new Emotet module that steals credit card information from has been discovered on Chrome. The notorious botnet, Emotet, is now infecting its victims with a credit card stealer module that harvests credit card information from Google Chrome Browser.
How it Works on Google Chrome.
On June 6th, Proofpoint first observed the new Emotet module being deployed by the E4 Botnet. They discovered it was a credit card stealer that was solely targeting the Google Chrome Browser. After collecting the card details, they were exfiltrated to different command and control (C&C) servers than the module loader.
ESET, an internet security company, revealed on Tuesday that Emotet has had a massive increase in activity since the beginning of the year. The estimated growth of detections increased to about 11,000% in the first four months of this year when compared to last year from September to December 2021.
The security research group Cryptolaemus also spotted an increase in activity during April, detecting a switch to 64-bit modules. According to reports from BleepingComputer, In April Emotet started using Windows shortcut files (.LNK) to execute powershell commands to infect victim devices moving away from Microsoft Office macros.
Emotet is a malware that was first detected in 2014 in Ukraine. After being responsible for one of the most prevalent threats today, its servers were disrupted in January 2021 through global police action in Germany and Ukraine and brought under the control of law enforcement. The disruption also led to the arrest of two individuals for illegal actions.
Emotet’s infrastructure was installed from being infected by German law enforcement by using the worm’s own infrastructure to work against the botnet.
The malware evolved into a botnet, the TA542 threat group also known as Mummy Spider that it used to deliver second-stage payloads. Threat actors are able to breach data and perform reconnaissance attacks on networks and vulnerable devices.
Advanced self propagating and modular trojan that is delivered via email campaigns. Cybersecurity Firms later detected the botnet in November 2021 after the threat actors used TrickBot malware to push an Emotet loader.
Another security company, CyberArk, demonstrated a technique to extract plaintext credentials directly from Chromium-based web browsers. After some findings, Zeen Ben Porat from CyberArk said “Credential data is stored in Chrome’s memory in a clear text format. In addition to data that is dynamically entered when signing into specific web applications, an attacker can cause the browser to load into memory all the passwords that are stored in the password manager.”
It also includes cookie information such as session cookies, potentially allowing an attacker to extract information and use it to hijack user accounts even when they are protected by multi-factor authentication. As of April, Emotet remains the most popular malware with a global impact of 6% on organizations worldwide.
