The Emotet botnet now has a new module that steals credit card information stored in Google Chrome user profiles.
Emotet was first discovered by cybersecurity researchers at Proofpoint, releasing the new module on June 6. It tries to steal names, expiration dates and card numbers stored in Chrome user profiles. An interesting detail is that the thief exfiltrates the data to a command and control server (C2) other than the module loader.
Emotet had a good ride. It was almost entirely erased from the network a year ago when German police used their own infrastructure to deliver a module that uninstalled the malware. (opens in new tab)of all infected devices.
Emote is back
It returned half a year later, in November 2021, when several cybersecurity researchers spotted Trickbot trying to download a DLL, identified as Emotet, onto the system.
A little over a month ago, Emotet operators were seen moving away from Microsoft Office macros for distribution and towards Windows shortcut files (.lnk).
The malware was first seen in 2014. At the time it was used as a banking trojan but has since evolved into a botnet. Some researchers believe it was developed by a threat actor known as the Mummy Spider (AKA TA542) to serve as a dropper for second-stage viruses. Among others, Emotet has been seen dropping Qbot and Trickbot which in turn have been seen delivering Cobalt Strike beacons and various ransomware. (opens in new tab) strains, including Ryuk or Conti.
Today, it is capable of stealing sensitive and personally identifiable data, spying on traffic moving through compromised networks, and moving laterally.
ESET cybersecurity researchers recently said that Emotet has seen a significant increase in activity this year, “with its activity growing more than 100 times compared to Q3 2021”.
Through: BleepingComputer (opens in new tab)