Image source: Toptal
The infamous Emotet malware has implemented a new module designed to transfer credit card information stored in the Chrome web browser.
The credit card stealer, which singles out Chrome exclusively, has the ability to exfiltrate the collected information to various remote command-and-control (C2) servers, according to the company’s security firm Proofwho observed the component on June 6.
The development comes amid a spike in Emotet activity since it was resurrected late last year after a 10-month hiatus in the wake of a law enforcement operation that brought down attack infrastructure in January 2021.
Emotet, attributed to a threat actor known as TA542 (aka Mummy Spider or Gold Crestwood), is a sophisticated, self-propagating and modular trojan delivered via email campaigns and used as a distributor for other payloads such as ransomware.
As of April 2022, Emotet is still the most popular malware with a global impact of 6% of organizations worldwide, followed by Formbook and Agent Teslaper Checkpointwhere the malware tests new delivery methods using OneDrive URLs and PowerShell in .LNK attachments to bypass Microsoft’s macro limitations.
The steady growth in Emotet-related threats is further substantiated by the fact that the number of phishing emails, often hijacking pre-existing correspondence, grew from 3,000 in February 2022 to about 30,000 in March, targeting organizations in different countries as part of a large-scale spam campaign.
ESET states that Emotet’s activity “shifted into high gear” in March and April 2022, and that the detections increased 100-fold, growing more than 11,000% during the first four months of the year in comparison. with the previous three months. monthly period from September to December 2021.
Some of the common targets since the botnet’s resurrection have been Japan, Italy and Mexico, the Slovakian cybersecurity firm noted, adding that the largest wave was recorded on March 16, 2022.
“The size of Emotet’s latest LNK and XLL campaigns was significantly smaller than the campaigns distributed in March via compromised DOC files,” said Dušan Lacika, senior detection engineer at Dušan Lacika, said†
“This suggests that the operators are only using a fraction of the botnet’s potential while testing new distribution vectors that could replace the now disabled VBA macros.”
The findings also come as CyberArk researchers discovered a new Technic to extract plain text credentials directly from memory in Chromium-based web browsers.
“Login credentials are stored in Chrome’s memory in plaintext,” says Zeev Ben Porat. from CyberArk said† “In addition to data that is dynamically entered when logging into specific web applications, an attacker could cause the browser to load into memory all passwords stored in the password manager.”
This also includes cookie-related information such as session cookies, which could potentially allow an attacker to extract the information and use it to hijack user accounts, even if they are protected by multi-factor authentication.