On the one hand, it is user-friendly if the web browser automatically fills in the payment card details during the purchase in the e-shop. On the other hand: storing such data is in itself a risky decision. This is confirmed by the new Emotet malware module designed to collect credit card information stored in Google Chrome user profiles.
The Bleeping Computer website states that “After theft of credit card information (ie name, month and year of validity, number and verification code) the malware sends to other servers than those used by the Emotet card stealer. “ The new module was unveiled on Monday, June 6, by a team of security experts from Proofpoint Threat Insights.
Theft in broad daylight
“On June 6, Proofpoint recorded the new #Emotet module, which was launched by the E4 botnet. To our surprise, it was a payment card theft tool that focused exclusively on Chrome. Once the card data was collected, it was transferred to C2 servers other than those with which the module loader communicates. “.
As the cyber security group Cryptolaemus noticed, this change in behavior comes after increased activity during April and the transition to 64-bit modules. Emotet is an advanced, self-spreading and modular Trojan horsewhich is distributed through e-mail campaigns and is used as a distributor of other malicious applications – such as ransomware.
In the recent past, Emotet has begun using Windows Shortcut Files (.LNKs) that run PowerShell commands to infect victims’ devices. This deviates from Microsoft Office macros, which have been disabled by default in this office suite since early April 2022.
Emotet rose from the dead
Malware Emotet was developed and deployed during the attacks as a bank Trojan horse in the year 2014. It evolved into a botnet that the hacker group TA542 (also known as Mummy Spider) uses to deliver malicious applications. It allowed operators to steal user data, conduct surveys on compromised networks and attack vulnerable devices.
Emotet is known for launching Qbot and Trickbot Trojans on the victims’ infected computers, which are used to deploy other malware, such as Ryuk and Conti ransomware. At the beginning of 2021, Emotet’s infrastructure was liquidated as part of an international action by law enforcement agencies, which also led to the arrest of two people. The German authorities used its own infrastructure against the Emotet botnet and on April 25, 2021 launched a module that uninstalled malware from infected devices.
However, Botnet returned in November 2021, using the existing TrickBot infrastructure. Security companies GData and Advanced Intel subsequently found this malware is used to spread the Emotet loader. ESET announced on Tuesday that Emotet had seen a massive increase in activity since the beginning of the year, “Whereas its activity has increased more than a hundredfold compared to the third quarter of 2021”.