Emotet malware has deployed a new module that is designed to steal credit card information stored in the Chrome web browser.
Exclusively targeting Chrome, the module has the ability to exfiltrate the collected information to different remote command-and-control (C2) servers, according to Proofpoint. The enterprise security company discovered the component on the 6th June.
Emotet activity has seen a spike following a 10-month-long absence after its infrastructure was attacked by law enforcement in January 2021.
This malware is an advanced, self-propagating and modular trojan delivered via email campaigns. It’s linked to a threat actor known as TA542 (Mummy Spider or Gold Crestwood). Earlier this year, it was found to be the most popular malware. The growth is substantiated by phishing emails and mass scale spam campaigns.
ESET said that detections jumped a 100-fold, with a growth of 11,000%, during the first four months of the year when compared to September to December 2021. The biggest wave was recorded on 16th March 2022.
Dušan Lacika, senior detection engineer at Dušan Lacika,”the size of Emotet’s latest LNK and XLL campaigns was significantly smaller than those distributed via compromised DOC files seen in March.”
“This suggests that the operators are only using a fraction of the botnet’s potential while testing new distribution vectors that could replace the now disabled-by-default VBA macros.”
Researchers from CyberArk also showed a new technique to extract plaintext credentials from memory in Chromium-based web browsers.
Zeev Ben Porat from CyberArk said, “credential data is stored in Chrome’s memory in cleartext format… In addition to data that is dynamically entered when signing into specific web applications, an attacker can cause the browser to load into memory all the passwords that are stored in the password manager.”