The infamous Emotnet malware has been deploying a new module to steal credit card information stored in the Chrome web browser.
The credit card stealer, which only targets Chrome, can exfiltrate the collected information to different remote command-and-control (C2) servers, according to enterprise security company Proofprint.
The shift in the Emotnet method came when a surge in Emotnet activity had been observed after it was revived late last year following a 10 month pause. The pause came in the background of a law enforcement operation taking down its attack infrastructure in January 2021.
Emotet, ascribed to a threat actor known as TA54 (aka Mummy Spider or Gold Crestwood), is a sophisticated, self-propagating and modular trojan that’s planted via email campaign. The trojan is used for spreading other payloads such as ransomware.
Emotnet, as of April 2022, remains the most used malware and has affected 6% of organizations globally. Next comes Formbook and Agent Tesla, per Check Point, with the malware testing out new delivery methods using OneDrive URLs and PowerShell in .LNK attachments to get around Microsoft’s macro restrictions.
The rise in Emotnet attacks can be corroborated by the growth of phishing emails and hijacking of existing correspondence, from 3,000 in February 2022 to approximately 30,000 in March, targeting organizations in various countries.
Emotnet cases have “shifted to a higher gear” in March and April 2022; ESET stated that detections jumped a 100-fold, showing a growth of more than 11,000% during the first four months of the year when compared with the previous three months.
Some of the common targets since the botnet’s resurrection have been Japan, Italy, and Mexico, the Slovak cybersecurity company noted, adding the biggest wave was recorded on March 16, 2022.
“The size of Emotet’s latest LNK and XLL campaigns was significantly smaller than those distributed via compromised DOC files seen in March,” Dušan Lacika, senior detection engineer at Dušan Lacika, said.
“This suggests that the operators are only using a fraction of the botnet’s potential while testing new distribution vectors that could replace the now disabled-by-default VBA macros.”
“Credential data is stored in Chrome’s memory in cleartext format,” CyberArk’s Zeev Ben Porat said. “In addition to data that is dynamically entered when signing into specific web applications, an attacker can cause the browser to load into memory all the passwords that are stored in the password manager.”